call +44 20 7096 1079


June 07, 2013 | Peter Bradwell

PRISM: The FISAAA smoking gun

We'll be posting analysis through the day about the revelations about PRISM and the NSA. Here's some background on the Foreign Intelligence Services Act.

UPDATED: see presentation by Caspar Bowden below.

The slides about secret data access under the 'PRISM' programme published today seem are somewhat of a smoking gun. Concerns about the implications of the Foreign Intelligence Services Act (FISAA), and in particular section 1881a, have been around for a while. For example, a report for the LIBE Committee of the European Parliament last year (co-authored by Caspar Bowden, who will be speaking about this at ORGCon tomorrow) said:

"So far, almost all the attention on such conflicts has been focussed on the US PATRIOT Act, but there has been virtually no discussion of the implications of the US Foreign Intelligence Surveillance Amendment Act of 2008. §1881a of FISAA for the first time created a power of mass-surveillance specifically targeted at the data of non-US persons located outside the US, which applies to Cloud computing. Although all of the constituent definitions had been defined in earlier statutes, the conjunction of all of these elements was new."

These revelations could have potentially devastating consequences for cloud computing. As noted in our previous blog, the UK government have some big questions to answer. 

This presentation (PDF) by Caspar Bowden contains very detailed explanations.

We also asked Professor of International Law Douwe Korff for his explanation of what's happening. Here's what he said:

 "US law makes non-US citizens living outside the USA completely fair game for unlimited surveillance by the US intelligence agencies, in particular under FISAA para. 1881a.  That paragraph effectively removes all restraints on the monitoring by US intelligence agencies of such non-US-citizens' e-communications, mobile phone communications, SKYPE conversations, social network exchanges, SMS texts or Internet browsing and video- and photograph- and file-sharing.

It is not even necessary that the surveillance is relevant to US national security issues.  Moreover, the US legislators and courts have consistently denied US constitutional protections to non-US citizens:  in all relevant respects in relation to surveillance by the US authorities, the Constitution simply does not apply to such non-US-citizens.  Protestations by US authorities that their legal system provides basically the same protection as is provided to EU citizens under European human rights and data protection law are quite simply untrue and deliberate attempts to hide the absence of any real protection of non-US-citizens from the US  global surveillance system. It is time civil society groups on both sides of the Atlantic join hands to fight against the new global Big Brother environment that is being created by supposedly democratic governments in both the USA and Europe."

Caspar Bowden has been expressing concerns about the FISAA provisions for some time. He'll be giving an hour long talk tomorrow at ORGCon on exactly this topic - it should be rather interesting! 

[Read more] (1 comments)

June 07, 2013 | Jim Killock

PRISM - Diffracting non-US Citizens' basic privacy since 2007?

It's being reported by the Guardian and Washington Post that the US National Security Agency can routinely access the sensitive data stored by big web firms including Facebook, Google, Skype, Microsoft, Yahoo, YouTube and Apple.

Top secret slides from the US National Security Agency say that email, video and voice chat, videos, photos, voice-over-IP chats (eg. Skype), file transfers, video conferencing, social networking details and 'Special Requests' are all collectable.

The web companies' response has been that if this has been happening, they were unaware of it and that they don't give government direct access to their servers. 

The Director of US National Intelligence, clearly talking with a US audience in mind, said that the law allowing this apparent collection of communications ensures that only "non-U.S. persons outside the U.S. are targeted."

Such a statement is intended to put American minds at rest. Where this leaves the rest of the world - including UK citizens, businesses, charities, MPs, campaigners and NGOs - is another matter.

In the light of this, the UK Government has very serious questions to answer.

  1. What did the UK Government know about the PRISM programme?
  2. Given the history of collaboration between the US and the UK, can they give us assurances that UK secret services have not been involved in the PRISM programme?
  3. Will the UK Government be seeking clarification from the US Government about whether the data of UK citizens is being monitored by the NSA?
  4. Has the UK received any intelligence based on queries made through the alleged PRISM programme?
  5. Would the Government advise that UK citizens, businesses and MPs stop using services provided by American web companies such as Google, Facebook and Microsoft?
  6. Can the UK Government give assurance that the commercial confidentiality of UK businesses has not been breached through the PRISM programme?

In addition, a Parliamentary investigation is required. Companies such as Google, Facebook, Microsoft and Yahoo need to answer to Parliament as to what data about UK citizens may have been included in the PRISM programme. The investigation should also ask questions of representatives of the UK Government and the intelligence agencies to bring transparency to clear up whether they had any involvement in the PRISM.

[Read more]

June 06, 2013 | Javier Ruiz

EE debate mobile weblogs and privacy

Yesterday we had a debate on mobile data in Parliament, kindly hosted by Julian Huppert. The panel included representatives from mobile phone company EE, Ipsos MORI, the Information Commissioner Office and Joss Wright from the Oxford Internet Institute.

The companies didn't add anything new to what we had learnt in previous conversations. They clearly don't see a problem with collecting highly personal information, including internet usage, and building commercial insights on it. EE argues that collecting such data is required for business purposes.

For example, if you query your mobile data bill they could use your web history to show you why. This raised a few eyebrows. They also claimed that everything is in their privacy policy, which is partly true. We think however that the policy of EE and those of other companies should provide more detail. Also, there is no opt in or out option here.

Ipsos MORI defended their integrity as handlers of personal information and explained that the data they get is anonymised thoroughly. For them mobile data seems a continuation of their work gaining insights into people's heads as pollsters and market researchers.

Joss Wright argued that data cannot be "anonymised" in binary form, but that instead we should speak of probabilities. Also he queried the concept of personal data and how you can learn a lot about someone without needing their name, date of birth and other identifiers.

The ICO said they didn't see a fundamental problem, although they think that there is a lot of room for improvement in how companies communicate their policies and what happens to data.

There were lots of really interesting contributions from the floor. Our audience was of a very high calibre and very informed. People raised a broad range of issues: highly technical questions on international data sharing, how can value be transferred back to customers, as happens with loyalty cards, and many others.

What we took home is that we still want to know a lot more about what exactly is being collected and processed by EE and other mobile companies. We are going to ask again EE to provide this information and help our technical experts understand the processes.

We remain concerned that collecting customer behaviour data for commercial purposes may require better consent models and current privacy policies may not be enough. We need to establish more clearly that data protection is upheld, not just in the data sharing with Ipsos MORI, but throughout the whole value chain.

Ultimately we think the mobile industry may need to sit down with other stakeholders and develop a code of practice that goes above and beyond minimum levels of mobile companies' views of data protection.

[Read more]

June 06, 2013 | Peter Bradwell

DCMS call summit on dealing with extreme or illegal content online

ORG to write to Minister to ensure civil society presence

This morning comes news that Maria Miller, Secretary of State for Culture, Media and Sport, has summoned internet companies to a summit on how they deal with illegal and extreme content online. This morning we will be writing to the Minister to make sure that Open Rights Group and representatives of civil society are present.

[Update: You can read a joint letter, written with Index on Censorship, English PEN and Big Brother Watch, on our correspondence page.]

In one sense this is not particularly surprising - politicians are reacting to the heated coverage in the media of exposure to various types of illegal or extreme content online over the past two weeks, which stemmed largely from the two tragic cases of Lee Rigby and April Jones.

It is understandable that the Minister wants to see what can be done to deal with illegal content online. But powers to make decisions about what people are allowed to see and do on the Internet are significant and must be treated with great care. Efforts to ensure a 'safer' online environment can inadvertently lead to overreaching or unaccountable powers or practices that block far too much content, for example. There are particularly serious problems when governments ask or expect companies to police content on their platforms, for example through industry practices.

For example, in our research into mobile networks' Internet filtering we found routine over blocking, including of shops, political blogs and community sites. Similarly, in Australia last month, it emerged that 1,200 websites were accidentally blocked when a government agency tried to take down two sites allegedly involved with fraud. [Update: it emerges that in fact 250,000 websites were accidentally blocked, on top of the already reported 1,200 - thanks to Pete on Twitter for pointing this out!]

We will post our letter, and any response, on the blog as soon as possible.

[Read more] (1 comments)

June 05, 2013 | Lee Maguire

Tickets for the final IT Crowd recording

Two tickets for the recording of the final episode are being auctioned to raise funds for ORG.

Update (7th June): The bidding was closed at 10am, and we've gotten back in touch with the highest bidder.  Thanks for everyone else's participation.

Comedy writer, and ORG advisory council member, Graham Linehan has arranged for two audience tickets for the recording of the final episode of The IT Crowd(Sharp-eyed viewers may have noticed the ORG logo amongst the on-set paraphernalia.)

Filming takes place this Saturday (8th June 2013) at Elstree Studios.

If you're interested in the tickets, please email and make a blind bid for them before 10am on Friday the 7th.

Note that if you're planning on attending ORGCon 2013 on the same day, you may need to leave before 17:30 (the scheduled end) in order to make it to Elstree Studios for the 18:00-18:30 check-in.

Tickets for the TV shows are free and anyone can apply via Permission has been granted for ORG to use these tickets for fundraising. Tickets for the I.T. Crowd are fully booked, but you can apply to be on the waiting list.

Minimum age for entry is 16. The winner will need to provide name, postcode, email address and phone number for the booking to be updated. Other terms below:


  1. This ticket is complimentary, not for sale, non-transferable and is issued by Elstree Studios ('The Studio') and Retort TV ("The Company").
  2. The Company and The Studio reserve the right to refuse entry to any person or to cancel or alter the times of commencement of the performance or the programme without notice to the ticket-holder and without liability to the ticket-holder in any respect whatsoever.
  3. Entry is subject to studio capacity and also by The Company and The Studio's discretion. This ticket does not guarantee entry.
  4. Neither The Company or their servants, agents or associates shall be liable for any loss or damage to property or personal injury of the ticket holder or to any other person associated with the ticket holder unless caused by the wilful or negligent act or omission by The Company, The Studio or their servants, agents and associates.
  5. The taking of photographs and the making of any other form of visual or sound recording by the ticket holder is strictly forbidden.
  6. Ticket-holders shall comply with all directions given to them from time to time by The Company, The Studio, or their servants, agents or associates.
  7. Children under sixteen years of age will not be admitted.
  8. Attendance at the recording shall constitute irrevocable permission by the ticket-holder to participate in and / or to be filmed / recorded and for The Company and The Studio to exploit any and all recordings of the programme or parts thereof (including any parts in which the ticket holder has been filmed/recorded) by all means and in all media without limitation as The Company shall deem appropriate.
  9. WARNING: Please note (i) ASTHMATICS - due to special effects used in some programmes, it may be necessary for us to use synthetic smoke. (ii) Strobe lighting may be used during the recording/ transmission.

[Read more]

June 05, 2013 | Ed Paton-Williams

What are Mobile Providers Doing with Customer Data? - The results so far

Last month, ORG set up an email tool to help people ask their mobile provider what they're doing with customer data. Are they selling it to other companies? If they're anonymising it, how are they doing that? Do they give customers the chance to opt-in or opt-out? These are the results from the responses so far.

Since we set up the tool, hundreds of you have used it to contact your mobile provider. Many of you have forwarded us the responses you've had from your mobile provider – thank you!

What, then, are mobile companies telling customers who contacted them? And what do their Privacy Policies say?

O2, Vodafone and EE have all replied to their customers to say that they provide analytics on aggregated and anonymised data sets of their customers to third party companies. Their privacy policies have sections to this effect.

Virgin Media say that they don't sell their customers' data and their privacy policy says they may pass on aggregate information about their customers' mobile use to third parties.

EE have told us that all customers have agreed to their Privacy Policy and implied that this counts as customers giving consent. O2 and EE argue in their responses to customer emails that because they are aggregating and anonymising data, the law does not require them to ask customers to opt-in or opt-out.

The vast majority of people want a mobile phone connection to help them manage their lives. In effect, mobile providers are presenting their customers with the choice of whether to have a mobile phone or to have their data included in mobile analytics datasets.

Come to a discussion panel in Parliament today at 2PM to hear more about mobile analytics and privacy. Representatives from EE, the ICO and Ipos MORI as well as Julian Huppert MP and Joss Wright from the Oxford Internet Institute will be discussing how mobile providers are handling data, what consent customers should expect to have and how data is being anonymised and aggregated.

Have a look to see what your mobile provider is doing with customer data and what their privacy policy says. For more information about what they said in their responses and the relevant contents of their privacy policies, see the ORG wiki page.

  What they're telling their customers What their Privacy Policy says
EE We are able to provide historical reports from our database about mobile network usage of large groups of customers. These reports analyse how, when and where our network is being used by these large groups and what it is being collectively used for. EE does not sell any individual customer’s personal data.

All data shared is anonymised and aggregated so that it is not possible to identify an individual. EE anonymises data in accordance with industry standard and the ICO Anonymisation Code of Practice as appropriate to the data in question.

As market research that is shared with third parties is anonymised and aggregated, and it is not possible to identify an individual, we currently don’t offer an opt-out for - network level data.

We use your personal information for the following purposes:
  • to provide aggregated statistics about our sales, customers, traffic patterns to third parties, but these statistics will not include any information that is likely to identify you
  • to carry out research and analysis and monitor customer use of our network and products and services on an anonymous or personalised basis to identify general consumer trends and to understand better our customers’ behaviours and partner with other businesses to create new services and to develop interesting and relevant products and services for our customers, as well as personalise the products and services we offer you.
Vodafone Vodafone is evaluating analytics projects, and we’re aware that these types of activities can only succeed if customers have control over how their data is used and feel that they receive some value in return.

While we believe that anonymisation and aggregation are important steps in protecting data, we are also in the process of developing better tools to enable customers to make informed choices about their participation in these types of projects.

We participate in an industry-wide initiative started in the UK in 2008 to provide mobile audience web and app measurement for publishers and advertisers.


There was no mention of how to opt-in or opt-out of such analytics.

We may use and analyse your information to:
  • Carry out research and statistical analysis to monitor how customers use our network, products and services on an anonymous or personal basis

The information we use will be your approximate location, based on the nearest mobile cell site. As a result, this will change as you move around with your mobile phone.

Vodafone appear to do their mobile analytics in house with Vodafone Global Enterprise.

We track communications records, data usage and location-based information to the nearest town.

The data is aggregated and analysed at a numerical level and participants can choose to remain anonymous when they sign up, so they aren’t personally identifiable from their data.

O2 In 2012 we announced a data analytics business which included a product called Smart Steps.

Smart Steps is about measuring the size of anonymous crowds of people - this does not include the selling of any individual customer’s data and it will never be possible to identify an individual customer.

Smart Steps extrapolates trends from anonymised and aggregated data. Customers’ personal information is never sold or disclosed.

With Smart Steps, there is no disclosure of a customers’ personal identity to “opt out” from.

We may use and analyse information about you in order to:
  • aggregate information about you, your spending and your use of the Services with information about other users of the Services in order to identify trends. We may pass Aggregated Data to third parties, such as advertisers, content providers and business partners or prospective business partners, to give them a better understanding of our business and to bring you a better service. Aggregated Data will not contain information from which you may be personally identified.
  • analyse information about you including your calling, searching, browsing and location data on a personalised or aggregated basis. We may pass this data to the third parties mentioned above and we may use this information to provide you with targeted O2 or third party offers, promotions, adverts or commercial communications.
Virgin Mobile Thanks for getting in touch. I can confirm that Virgin Media does not sell customer data. As such, we do not have an opt-in/opt-out policy.

I hope this answers your question.

We may use aggregate information and statistics for the purposes of monitoring usage of our services in order to help us develop our services, and may provide such aggregate information to third parties, for example, content partners and advertisers.

These statistics do not include information that can be used to identify any individual.

Tesco Mobile Tesco Mobile does not sell or pass on any customer data or anonymised data externally. We do at times use our customer information internally to understand shopping behaviours and to develop and improve our products and services. We would like to reassure you that your details are safe and will never be released to companies outside the Tesco Group for their marketing purposes.

We will share your details among Tesco companies at home and abroad (e.g. Tesco Personal Finance) and businesses that process this information on our behalf (e.g. printers who need certain details to print mailings.


We have received a number of similar enquiries from consumers who have been prompted to contact us following press reports or by the Open Rights Group campaign.

We know that data privacy is of utmost concern to our customers and we can confirm that Three does not sell customer data. There may be circumstances where information is shared with third parties, such as service providers who help us deliver services to customers, or deliver services that the customer has subscribed to directly, but there are always be carried out in full compliance with privacy laws.

We may process “Your Information” for a number of purposes including:
  • to carry out market research
giffgaff No reply yet - Please let us know if you've had a reply from giffgaff. We may use and analyse information about you in order to:
  • Aggregate information about you, your spending and your use of the Services with information about other users of the Services in order to identify trends. We may pass Aggregated Data to third parties, such as advertisers, content providers and business partners or prospective business partners, to give them a better understanding of our business and to bring you a better service. Aggregated Data will not contain information from which you may be personally identified.
TalkTalk No reply yet - Please let us know if you've had a reply from TalkTalk. We may also use your information for research and statistical analysis with the aim of improving our services.

We may use the personal information we collect from you to build up a profile of your interests and preferences. This information may be disclosed to other companies in the TalkTalk Group Limited group of companies and carefully selected third parties and/or used to make you aware of products or services that you may find of interest.

Some of the companies' replies and all of their privacy policies are long so are heavily abridged here.

[Read more]

June 04, 2013 | Javier Ruiz

Mobile data for sale: meeting with EE sheds new light

Last Friday ORG met with representatives of EE to discuss the details of their mobile data analytics operation. The discussion was triggered by a Sunday Times article apparently claiming that Ipsos Mori was trying to sell highly personal information about EE customers to the Met Police, and our campaign following it.

This is in the lead up to our public panel discussion on Wednesday 5 June. The meeting with EE was very helpful for us to get a better idea of how the Sunday Times article came about. We have asked the journalists to give their side of events, but so far we haven’t had much luck getting a reply. Clearing up any doubts about the most serious accusations of breaching privacy laws should be the top priority for everyone here.

Phone in Hand

CC BY-SA 3.0 photo by Victorgrigas

According to EE, someone apparently mixed up some slides given at a sales presentation by Ipsos Mori to the Metropolitan Police. The two companies have entered a partnership to develop analytics services. These slides referred to the data EE holds on customers, but this was not meant to be in the analytics package. How this ended up in a newspaper story about Ipsos Mori and EE selling highly personal information to the police is still unclear.We are asking EE to make those slides public on Wednesday.

Our next question then concerns what data EE uses for their analytics. Mobile companies like EE hold a lot of information on us, their customers. They are in the unique position of being able to combine several domains of your life, including your personal details (name, address, date of birth, etc.), communications, location and internet habits.

For example, internet marketeers are able to track your web browsing via cookies, but they generally cannot match that data with your postcode or age. EE tells us that the data they hold and use for this service is simply what is mandated by data retention legislation, for example, top level URLs without details of actual pages. This means they keep but not EE keep this kind of data as long as required by law, but we would like more clarity on the exact terms.

ORG is concerned that as companies convert this big data into an economic asset, rather than a liability, there will be pressure to collect more data for longer periods. The law sets a minimum, but companies may be tempted to go way beyond requirements. ORG opposes data retention legislation as blanket surveillance. These laws have been found to conflict with fundamental rights in other European countries.

We are particularly keen to understand how EE are able to connect individual users and web activities at a specific time. The service they provide via Ipsos Mori appears to be able to tell you how many people were reading, say, on mobiles and tablets in Piccadilly Circus this morning.

This kind of insight has been a key discussion in relation to the Snooper’s Charter. We have been told repeatedly that new laws are needed because mobile networks make this impossible, as many users share the same internet connection. EE representatives weren't able to explain, but said that it may be a matter of granularity and have promised more information on this

The other issue we wanted to examine was what data does Ipsos Mori get, and makes accessible to clients. According to EE, Ipsos Mori never access their databases, but make requests and get “anonymised” and vetted insights on groups of at least 50, never on individuals.

Queries mainly combine location data (users connected to a cell mast) with demographics (age cohort, gender or first half of postcode) and behaviour. So far apparently this is mainly web browsing, but we are not sure what else has been tested. Our concerns here centre on the risks of anonymisation.

There is a wealth of research on how hard it is to protect identities, particularly with location data. And this is not an academic debate. Only last week AOL finally settled a multi-million dollar lawsuit over its failure to anonymise customer records shared for research purposes.

EE assure us that they comply with the Code of Practice on Anonymisation from the Information Commissioner, which takes a light touch approach. But even in relation to this minimal protection there seem to be a few things that could be improved.

Joss Wright provided an initial check up recommending formal Privacy Impact Assessments and independent review and statistical validation of their protection mechanisms. A particular problem is that if queries are assessed individually, without reference to other queries, they might be combined to single out individuals. ORG will be happy to work towards a sector code of best practice.

Mobile users will certainly be surprised to hear that their details are being used in this way, even if analysing customers behaviour may be common in other business sectors. To the best of our knowledge fixed line Internet service Providers do not analyse their customers web traffic to provide commercial marketing services. We are not sure this would be seen as acceptable. EE argue that their customers have consented to this in their privacy policy:

We use your personal information for the following purposes:

• to provide aggregated statistics about our sales, customers, traffic patterns to third parties, but these statistics will not include any information that is likely to identify you

• to carry out research and analysis and monitor customer use of our network and products and services on an anonymous or personalised basis to identify general consumer trends and to understand better our customers’ behaviours and partner with other businesses to create new services… We may use information about your location for research and analytics purposes but we will only retain this information in an anonymised form to ensure that you cannot be identified as an individual.

While this seems to comply with existing data protection legislation in UK, we think that companies may need to go beyond the law in order to win the trust of their customers. We remain concerned about the amount of information that mobile companies are able to collect and believe that their unique position may require an specific sector code of practice. This would also involve stronger processes on data handling, anonymisation and sharing with third parties than asked for in the minimal requirements typically set by the UK ICO.

Please join us on Wednesday as we continue this discussion in person.

[Read more] (1 comments)

May 31, 2013 | Peter Bradwell

What mobile internet filtering tells us about porn blocks

Mobile networks filter their Internet service by default, in the name of child protection. We've looked at what lessons this can teach those calling for more Internet blocking.

There's been plenty of coverage today of calls to do more to block access to pornography, and specifically pornography on the Internet. There's plenty to be frustrated about much of this, for example an inability to distinguish between child abuse images and pornography in some cases.

But for this post I'll focus on some lessons we can draw from the Internet filtering that already takes place, mostly by default, on mobile networks.

This post does not deal with whether blocking actually does what it is supposed to - for example, preventing access or exposure to adult material, or helping improve attitudes to sex or gender. This post is also not intended to tacitly endorse blocking as a strategy - it rather is written to report what we've observed happens when it is deployed. It is always worth reiterating that restricting access to pornography, in the way described below, is a different issue to tackling child abuse and access to images of it.

Whether you think that website blocking is a good idea or not, it is important to at the very least recognise that it has serious, tangible, negative consequences, especially when it is switched on by default at the network level. This post helps demonstrate what some - but by no means all - of these issues are and why they happen.

1. It's very hard to define what you think should be blocked

Blocking is almost never just about stopping access to pornography. Mobile networks block a wide variety of content, including blogs to content related to tobacco or alcohol. It is hard enough trying to define pornography, let alone what fits into categories such as 'bombs' or 'esoteric content'. Orange listed both of these as blockable categories on their website until a recent update to their customer services pages. I assume that the blocking categories remain the same, but have asked if this is the case and will report back if not.

Even if blocking is restricted to subcategories like 'violent porn', the ability to define what that means is made extremely difficult because websites and content are, due to the sheer volume of sites to check, by robots, not human beings.

An added complication is what age-level filtering is set at. What sort of material should a 17 year old have access to? What about a 13 year old? What about an 8 year old? All very different. Any default blocking involves decisions about what level to set content restrictions at for a given age. On mobile networks, there is no facility to allow parents to tailor filtering to suit their children's age.

2. The 'wrong' things will be blocked

Through mistakes or abuse, too many sites will be blocked. This is not in question. 

We have found political blogs, technology news sites, shops, community sites, a blog about things that go on a shelf, campaign websites and churches blocked on various mobile networks. The primary website of the privacy tool Tor (meaning the HTTP version of the Tor Project website, rather than connections to the Tor network) was blocked on Vodafone, O2 and Three last year. We heard from an online gift shop that was blocked over Christmas last year. We assumed this was because they sold engraved lighters - and thus were categorised as 'tobacco'. It took over a month to get this fixed. 

In Australia, 1,200 websites were accidentally blocked when the Australian Securities and Investment Commission tried to take down two sites it believed were behind a fraud campaign. 

There are a number of reasons why this might happen, including categories being too broadly defined and mistaken categorisations through to human error. As the filtering services are run by third party services, and exactly what is blocked is not known, there is also the danger that filtering will be abused for all of the reasons that someone might want to restrict access to a website - from commercial rivalry through to political censorship.

It is important to recognise that although it is often merely inconvenient for a user to be subject to filtering, it is more than inconvenience when your site is blocked. Because that could mean that customers can't access your shop. Or people can't read your political commentary. Or you can't share your cat photos. Whatever, sites stuck behind filters are cut off from anybody on the relevant network.

3. It's hard to find out what is blocked and why

There's no easy way of finding out if your site is one of those blocked - unless we require people to have accounts with every mobile network so they can habitually check for themselves. And if you're not in the UK, that's not really an option. Only O2 have a (very useful) URL checker.

So we don't really know why mobile operators block some websites, or how they come up with the categories that they think should be blocked, or how they decide what sites fit into those categories. They are not transparent enough about the categories they choose, what they consider fits in to those categories, or who decides these things.

Mobile operators all say that they act according to a code of conduct set by the Mobile Broadband Group. But this code does not itself provide any criteria for determining or defining ‘blockable’ content. It does point to a framework devised by the Independent Mobile Classification Body (IMCB).

The Mobile Broadband Group code of conduct that mobile operators adhere to states that filters are ‘set at a level that is intended to filter out content approximately equivalent to commercial content with a classification of 18.’ There is a process of interpretation, as mobile operators look to derive blocking lists from the framework specifications. There is an added layer of interpretation: these filtering lists are usually maintained by the external third-party providers of the filtering systems.

There is a further problem of how ‘current’ the frameworks are. The IMCB Framework to which mobile operators adhere in their filtering policies was written in 2005. The latest version of the code of practice on self-regulation was published in 2009, with the original published in 2004.

It is not clear how frequently the mobile operators, individually or collectively through the Mobile Broadband Group, review how appropriate the filtering classifications are, or more broadly the effectiveness of their filtering systems - whether mistakes are made, how prevalent they are, and how they deal with them.

4. Reporting problems and mistakes is very difficult

Mobile operators’ staff often seem uninformed about mobile Internet filtering, and thus they are poorly trained to help users making complaints - whether they are trying to report a mistaken block or have blocking removed. Furthermore, a customer’s request to have the filtering removed may be framed as a request to turn on ‘adult content’ – which suggests the primary interest is adult sexual material. That ignores the breadth of the content blocked under these filtering systems, noted above.

This is especially problematic for sites that are blocked. Most networks see this as only an issue for their customers, and specifically only about whether their account has blocking enabled. It can be especially difficult, therefore, to get your website delisted by the blocking service when it is blocked inappropriately. This for many will be a serious inhibition on their ability to trade or share information.

5. Failure to put effort into addressing the problems

One of the biggest problems with mobile blocking has been the haphazard way in which the systems work - for example, the way networks decide what content should be blocked, and how mistakes should be addressed. Mobile networks have faced significant political and media pressure to do something about possible access to pornography on their networks, but feel very little in the way of commercial or political pressure in the other direction.

So it's easy to see that there are not too many incentives for them to take seriously issues such as over blocking, the reporting of mistakes or decisions about what is 'blockable'. This is why it's really important that policy makers understand that the 'switch it off' calls are not as simple as they sound, and that there is a tangible impact on freedom of expression.

We have been looking at this for a while now, and published a report almost exactly a year ago called 'Mobile Internet Censorship: what's happening and what to about it." We made a number of asks of mobile networks - more transparency, more choice, better means of fixing mistakes. It's fair to say that aside from networks being slightly easier to contact, very little has been done to fix the problems.

There are other problems with website blocking, for example related to how easy it is to get round blocks, how website blocking won't really address access or distribution of illegal material, how it might lull parents into a false sense of security, how network blocking is a problematic technological solution, to name a few. And that's without looking at some of the calls for age verfication and registration made today.

The Government's position on website filtering for child protection currently seem reasonably sensible - help households make their own decisions about what is appropriate for them. We have to hope that the sort of pressure exerted by calls for more blocking made today, emotively made in the wake of such a tragedy, don't pursuade them to take a more drastic route without considering the consequences. 

At ORGCon next week Professor Andy Phippen will be giving a talk called 'Think of the children!', where he'll talk about his research into young people, technology and exposure or access to 'harmful' material. And Child Rights International Network will be talking about the impact of blocking on children's rights in our rapid fire talks session (they have written previously about this for ORGZine).

A full programme and tickets are available at the ORGCon website

[Read more]

google plusdeliciousdiggfacebookgooglelinkedinstumbleupontwitteremail