call +44 20 7096 1079

Blog


July 07, 2014 | Jim Killock

Theresa May is attempting to mislead the public

Government spin that data retention laws need to be revised to deal with terrorism, as reported by the Guardian on Saturday, is a simple attempt to mislead the public.

The real reason they need to legislate on data retention is that they are asking ISPs to operate illegally by retaining data, since the CJEU struck the Data Retention Directive down.

The government knows they are at high risk of legal action from ORG, Privacy International, Liberty and others, and of that legal action succeeding. ORG wrote to the government to ask them to stop trying to enforce EU data retention laws, as they had been invalidated. Thousands of ORG supporters wrote to ISPs to ask them to stop retaining their data illegally. One way or another, this law is likely to be struck down, and the government knows it.

ISPs have obeyed the government’s instructions to continue to retain data, which is in itself quite dubious. It is courts that decide what the law is, not governments. Parliament legislates, and governments must obey the law. The government does not decide what the law is.

Theresa May has long made it clear that she wants to extend data retention to cover mobile phone records, that are currently not kept because of the complexities of administering “Network Address Translation” caused by using single IP addresses for many mobile phone users. Currently data retention applies to phone records, customer data, IP addresses and email logs at your broadband ISP.

But now all retention too must abide by the CJEU judgement, which has clearly delineated the limits to data retention under human rights law. They have said that it must:

  • provide exceptions for people whose communications must be confidential for legal reasons

  • restrict retention to data that is related to a threat to public security and in particular restrict retention to a particular time period, geographical area and / or suspects or persons whose data would contribute to the prevention or prosecution of crime

  • restrict access to defined, sufficiently serious crimes

  • limit access to that which is strictly necessary

  • empower an independent administrative or judicial body to make decisions about access to the data on the basis of need

  • distinguish between the usefulness of different kinds of data and relate retention periods to that question

  • keep retention periods as low as possible, i.e. to periods that are ‘strictly necessary'

  • ensure the data is kept securely

  • ensure destruction of the data when it is no longer needed

  • ensure the data is kept within the EU 

Will any new UK data retention law, drafted and published this week meet these criteria? It doesn’t seem likely, and if not, then Parliament must be given time to consider it in line with the demands of the judgement. This paragraph, in particular, needs the attention of our legislators:

Moreover, whilst seeking to contribute to the fight against serious crime, Directive 2006/24 does not require any relationship between the data whose retention is provided for and a threat to public security and, in particular, it is not restricted to a retention in relation (i) to data pertaining to a particular time period and/or a particular geographical zone and/or to a circle of particular persons likely to beinvolved, in one way or another, in a serious crime, or (ii) to persons who could,for other reasons, contribute, by the retention of their data, to the prevention, detection or prosecution of serious offences.

That is a clear call to draw a line and stop blanket data retention. As the court says in their press statement, it is a ”serious interference with fundamental rights of citizens to privacy”. Any new law needs to scale back, not increase, the UK's data retention laws.

[Read more] (1 comments)


July 06, 2014 | Jim Killock

What Google isn’t doing with requests for search redaction

Newspapers are now accusing Google of censoring their articles every time that a search result is being removed in relation to one of their articles. However, what the very lazy journalists are not doing is testing the search results to see if any of the key figures are likely to have gained the redaction, at least not before telling the world about it.

A search for Stan o’Neal brings up Robert Peston’s article on the first page. So what redaction could have taken place here? The only personal names on that page, other than Peston’s are for individuals in the comments section. So the likelihood is that Google has redacted a search for someone whose comment appeared unduly highly in their search results. That’s likely to fit within the criteria laid down by the ECJ: results that are inadequate, irrelevant, no longer relevant, or excessive.

How about the Express’ article about George Osborne’s brother Adam? Searches for Adam Osborne and Rahala Noor bring up the article on the first page. George Osborne has a lot of material and is a public figure so it won’t likely to be about him. It’s possible that Sir Peter Osborne has asked for a redaction. Would that be reasonable? Probably, as the article isn’t really about him.

One problem seems to be that very prominent and interesting articles get pushed up search results for people who otherwise don’t have a lot of highly ranked material on the Internet relating to them. For people posting comments on news articles about far more famous people, this result is not surprising.

The Guardian seem to have been the victim of a mistake by Google, who have changed their minds about that redaction. In each case, we might wonder if we really want Google to make this decision, and where they are drawing the line. 

But if Google want to make life easier for themselves, and reduce the number of complaints, they should see if there is some way their notices, or by providing some commentary, could make it clear that redactions are unlikely to be about the main subjects of these articles. For public policy, we need to think about the extent to which we trust Google to make these decisions, and how we make sure they don’t remove searches that relate to matters of public interest.

 

 

[Read more]


July 03, 2014 | Jim Killock

Getting filter categories right

Yesterday's launch of blocked.org.uk has had an excellent response. Over 10,000 sites have been tested for blocks, and no doubt many problems have been found and reported. However, we will need to change the way we calculate results for talkTalk.

When we set up our filtered Internet lines, we did our best to choose the 'normal' set of filters for each line. These are what we believe an 'average' customer who sets up filtering will choose. In TalkTalk's case, it seems we made a mistake, and three categories got added that should not have been. These are "File sharing, Games and social networking". It seems many blogs are categorised as social networking. Additionally, we've been informed by BT that they use light, not moderate, as their default.

To clarify how the 20% figure was produced, we've outlined below the statistics for each network. No individual network blocked more than 13%, so while the overall total representing a 'default' filter block will reduce, it may not reduce so dramatically. We should know in around a day.

We want to show what our experience of their defaults is in the results on blocked.org.uk. We thought that aim would be reasonably representative of what people in general would experience. We recognise that we didn't make that very clear at launch - but are happy to clarify now. When TalkTalk's and BT's results are recalibrated over the next day or so, we will have lower percentages for their 'default' settings. However, all the sites that are included in our current 20% figure are affected by some kind of blocking, even if only a small number of people switch on filters at this level. If and when we test the stricter filter options for all ISPs, the number of sites blocked for customers using stricter options is likely to be even higher. We will need to test for strict blocking, because people have a right to know if a site is blocked and if mistakes are being made.

We have been transparent from the start about the settings with which our lines are configured: they have always been listed in detail in our FAQs. To make this easier to find, we've also added an explanation directly below the results. If we've made any other errors about the 'default' position at an ISP, we are happy to be corrected.

Ideally we would monitor each filtering level for each ISP, and our system is capable of doing so, but our funds don't stretch to paying for all the connections so we had to make a choice. We are working to expand our system so that people can run probes of their own. That way we can cover many more networks, with different filtering settings, to get a clearer picture of the way these filters work in practice. You can help with this.

It's also important to remember that TalkTalk and other providers should be providing an authoritative tool for people to check whether and why a site is blocked, which would also have helped avoid error. After all, we are just testing for blocks, we are not trying to reverse engineer the precise categorisations that are made.

Finally, there must be a question about whether ISPs should be offering to block a category called "social media" that includes content such as blogs. This is censorship by form rather than content. If Tesco run a blog, should that be blocked? Or a blog about Minecraft, or school meals? In fact which blogs are selected as social media at TalkTalk seems to be highly unpredictable. Furthermore, many  communities such as the LGBT community use blogging as a way to talk about issues on their own terms: blocking such information could be disproportionately harmful for young people.

An argument may be made that comments sections could be unpoliced, but plenty of newspapers have comment sections. If a danger is posed by comments, then the target of filtering probably needs a whitelist solution. We think there is some danger in these categories being available for people to apply: they are both too broad for most young users and not sufficiently narrow for young children.

The broader point needs to be remembered: that these filters are arbitrary, capricious, and even the people who sell them don't fully understand what they do.

For the perspective of a Blocked user and website owner on this issue, journalist Jane Fae blogged her story of the status of her blog as blocked or not by TalkTalk.
http://faeinterrupted.wordpress.com/2014/07/03/is-it-because-i-is-trans/

Network

blocked

Total Result

blocked

AAISP

 

100237

0.00%

BT (moderate, not default)

5229

73199

7.14%

O2

455

10059

4.52%

Plusnet

2

41819

0.00%

Sky

4345

66837

6.50%

T-Mobile

1312

23690

5.54%

TalkTalk (with optional categories)

13126

100237

13.09%

Three

597

10017

5.96%

VirginMedia

2953

69137

4.27%

VirginMobile

2430

64202

3.78%

Vodafone

481

9968

4.83%

All networks (current totals)

22837

114179

20.00%

Edits: added Jane Fae link, information about BT and the results table for clarity  

[Read more]


July 02, 2014 | Pam Cowburn

ORG's Blocked project finds almost 1 in 5 sites are blocked by filters

Today, Open Rights Group relaunched www.blocked.org.uk

A Porsche broker, a political blogger and a mum hoping to read an article about post pregnancy care are among those that have been affected by Internet filters, designed to protect young people from adult content.

In 2012 we published the Mobile Filtering Report, investigating the way default blocking on mobile phones was denying people access to important information. We reported on what has seemed like rather arbitrary censorship, such as the New Wine church block. ORG analysed and drew examples from our site at blocked.org.uk which originally allowed people to submit when they found that a site had been blocked.

Now the full extent of Internet blocking can be revealed by our relaunched Blocked project.

Any web users can use the free checking tool on www.blocked.org.uk where they can instantly check to see if a website has been blocked by filters. Our tool checks the submitted url for blocks across the main Internet networks on both broadband and phone. We have test lines from 3, Andrews & Arnold, BT, Everything Everywhere, O2, Plusnet, Sky Broadband, TalkTalk, Virgin Media and Vodafone.

Through the Blocked project we wanted to find out about the impact of web filters. So far Open Rights Group has tested over 100,000 sites and found that over 19,000 - almost one in five - are blocked by one ISP or another. The problem of overblocking is not going away. Different ISPs are blocking different sites and the result is that many people, from businesses to bloggers, are being affected because people can’t access their websites.

We've found that there is a lack of information about how to get sites unblocked. Mother-of-one Marielle, said she was ‘humiliated’ when she visited the Three store to find out how she could order to access an article about post-partum care on her phone: “The manager told me that I couldn’t access filtered articles without entering a 4 digit pin every time I wanted to read a filtered article because I had a PAYG plan.” Marielle submitted a report to Three saying that the article had been incorrectly blocked but didn’t get a response.

There are more personal stories on the Blocked site and we'd like to hear from you if you've been affected by filters.

We'd like to thank our supporters who committed to make this project happen. ORG's team of technical volunteers worked with us to build the systems and software for this project and we're very grateful for their time. We couldn't have done this without the support of our community, so thank you.

How you can help Blocked?

Test your url: 
https://www.blocked.org.uk

Spread the word: 
We want as many people as possible to talk about how filtering effects them. It's only through being vocal that we'll be able to change the Government's attitude to Internet censorship.

Join ORG: 
By joining ORG you can help us continue to provide Blocked for free and support our on-going development of the tool.



[Read more] (1 comments)


June 19, 2014 | Elizabeth Knight

Data retention: why we have to keep the pressure on ISPs

In the last four hours, over 400 ORG supporters have contacted their ISPs to demand that they stop retaining customers' email, SMS, web and phone data. It's crucial that we keep up the pressure.

In April the Court of Justice of the EU ruled that the Data Retention Directive breached fundamental rights of privacy and protection of personal data. And yet the ISPs, on government advice, are continuing to store data.

ORG supporters' emails are an important first step in pressuring ISPs and the government. They must be made aware that customers care about this.

Emails to ISPs may also be used as a basis for formal complaints to the Information Commissioner's Office (the body that supervises data retention in the UK). In addition the high level of customer concern may be helpful as evidence in any legal action ORG might take against the government.

In our view there is no legal basis for the continuation of data retention. We believe the ISPs should be acting in their customers' interests and seeking clarity from the courts. At present they are passing the buck and hiding behind government advice to continue as usual. It is for the courts, not the government, to decide whether the UK Data Retention Regulations should continue to be applied.

Some ISPs are already sending automated responses to ORG supporters. Their responses illustrate our concerns.

Virgin Media's response says: “...We have also been in contact with government and with the Information Commissioner's Office following the ruling and the UK government's current position is that although the Directive was held to be invalid, our own Data Retention Regulations are still in force and we must comply with them until such time as they are struck down by a UK court.

Sky's response says: “It is our understanding that the Data Retention (EC Directive) Regulations 2009 remain in force within the UK. We will therefore continue to meet any obligations as set out in those Regulations, and retain data in accordance with our data privacy notice...

It is vital that as many people as possible contact their ISP. ISPs need to know that this is an issue that matters to their customers. We can see from their replies that the ISPs are talking to the government. ISPs must have their customers' concerns at the forefront of their mind when they have these conversations. Your emails help that happen.

If you haven't yet contacted your ISP – Please contact them to register your concern!

If you've already contacted your ISP - thanks for your help. Please keep us updated by sending any replies to campaign-support@openrightsgroup.org

[Read more]


June 19, 2014 | Ed Paton Williams

Demand your ISP stops retaining your data

In April, the European law forcing Internet Service Providers like BT, Sky, TalkTalk and Virgin to collect our communications data was struck down by the European Court of Justice. The judges said the law interfered with our right to privacy.

But UK ISPs have passed the buck. On the Government's advice ISPs are still retaining your personal data about who you email, text and phone, where you are and the websites you visit. We'll likely have to take legal action to stop this. First though, we need lots of the ISPs' customers to make a complaint.

ORG's new Legal Director Elizabeth Knight and solicitors from Deighton Pierce Glynn have prepared a legal letter of complaint demanding that your ISP stops retaining your data.

This is a really exciting time for ORG. We've just hired Elizabeth as our new Legal Director so we can take on big legal campaigns like this. We still need your help though to make sure we have lots of examples of people who have told their ISP to stop retaining their communications data.

Can you email the letter to your ISP in your name now? It's already written for you so it'll just take a minute.


At the moment we've only set up the action to contact BT, Sky, TalkTalk and Virgin Media. If you use another ISP, you can use this template letter to complain to them.

Dear [ISP name],

You will be aware of the judgment of the Court of Justice of the EU on 8 April 2014 in the Digital Rights Ireland case Joined Cases C-293/12 and C-594/12, which found the Data Retention Directive (Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC) to be in breach of Articles 7 and 8 of the EU Charter of Fundamental Rights and Freedoms and Article 8 of the European Convention on Human Rights.

This is likely to have the effect of rendering unlawful the UK's regulations implementing that Directive, known as the Data Retention (EC Directive) Regulations 2009. Accordingly, any requirement imposed on you by the Regulations or otherwise by the UK Government is likely to be unlawful as it is in breach of those same fundamental rights.

I ask you as my ISP to confirm to me within 21 days that you shall not store any data relating to me for any period other than as strictly required for the provision of internet services to me i.e. as soon as any data ceases to be necessary for technological reasons only then it shall be automatically deleted. I also ask you to confirm that you shall delete any data already held in relation to me.

If you are not prepared to provide the assurances I seek, then I ask you to state on what authority you continue to retain my data and for what purpose. I also ask you to clarify what arrangements you currently have in place with the UK Government for the retention of my data.

Yours sincerely,

[Your name]

[Read more] (18 comments)


June 10, 2014 | Pam Cowburn

Don't Spy on Us: Day of Action, June 7, 2014

On Saturday, June 7, the Don't Spy on Us campaign and The Guardian hosted a day of action to mark the anniversary of Edward Snowden's revelations about mass surveillance by the NSA and GCHQ. ORG is a founding partner in the Don't Spy on Us coalition, which also includes Article 19, Big Brother Watch, English PEN, Liberty and Privacy International.

Sponsored by F-Secure, the sell-out conference at Shoreditch Town Hall, London, was the biggest privacy event of the year.

The day began with a pre-recorded video message of support by performer Stephen Fry, who criticised the government for using the fear of terrorism as a "duplicitous and deeply wrong means of excusing something as base as spying on the citizens of your own country". Next up was ORG co-founder Cory Doctorow, who suggested that increasing our own personal security online would increase the cost of spying to the extent that it would force the security agencies to become more targeted. In a later session, he also suggested that we need, “privacy for the weak, transparency for the strong”.

Other speakers included Guardian Editor, Alan Rusbridger and the journalist Ewen MacAskill, who gave incredible accounts of how the Snowden story broke – revealing that the New York Times had effectively created an 'embassy' for The Guardian in its New York offices to ensure that the British newspaper was protected by the US constitution.

This was a day of action, not just words, and there were a number of breakout sessions that looked at practical ways that the Don't Spy on Us campaign can persuade the public, government and media to do something about mass surveillance. Tim Duffy, CEO of M&C Saatchi, identified two reasons for public apathy over surveillance – many people are not aware of it and if they are, the fear of terrorism beats the fear of having their privacy invaded. Duffy made a number of suggestions for how the campaign can overcome these problems, including disclaimers on emails and apps.

In a separate session, Claude Moraes MEP, lawyer Mark Stephens, Cambridge University's Ross Anderson and Emam Carr from Big Brother Watch listened to participants' suggestions for new legislation that will protect our rights to privacy and freedom of expression. Meanwhile at a cryptoparty, volunteers (including a number of ORG supporters), showed attendees how to encrypt their emails.

The event ended on an upbeat note with Wikipedia founder Jimmy Wales reminding the crowd about effective collective action over SOPA and urging them not to feel powerless: "We know how to change the world. Let's start doing it." Shami Chakrabarti of Liberty said that if the courts, private business and people start to care, then politicians will start to care about mass surveillance. Security expert Bruce Schneier agreed that the solution will be political, saying that “laws can trump technology".

ORG Executive Director, Jim Killock closed the day by asking people to not only sign and share the Don't Spy On Us petition but also contact their MPs.

One year on, the government response to the Snowden revelations has been inadequate but with an election due next year, politicians are more sensitive to what the electorate wants. With your support, we can make sure they listen to what we are saying.

For more on the event, check out #Don'tSpyOnUs, which trended on Twitter all day on Saturday. You can also read blogs by Professor Ian Brown, Damian Gayle and Falling down the Orwell or see some of the press coverage in The Observer, The Telegraph, The Independent, The Times (£), The Daily Dot and Channel 4.

 

Waiting for opening speakers at #dontspyonus by Dave Levy CC BY-NC-SA 2.0

 

 Proposed pro-privacy street ad by Cory Doctorow CC BY_NC-SA 2.0

 

 

 









[Read more] (2 comments)


June 07, 2014 | Jim Killock

No transparency for the UK in Vodafone's transparency report

Yesterday’s transparency report from Vodafone raised a very intriguing question: why did Vodafone feel obliged to redact aggregate surveillance statistics from their UK report?

vodafone reportVodafone’s argument for publishing these statistics where they can is that “The need for governments to balance their duty to protect the state and its citizens against their duty to protect individual privacy is now the focus of a significant global public debate.We hope that – despite the shortcomings … – the country-by-country disclosures in this report will help inform that debate.”

They note however that it is not legal to disclose aggregate statistics or other information in many of the 29 countries in which they operate. Although Google, Twitter, Yahoo and others do publish aggregate information about the UK, Vodafone report states that the law in many states is not clear:

In many countries, there is a lack of legal clarity regarding disclosure of the aggregate number of law enforcement demands. We have therefore contacted governments to ask for guidance. Some have responded, and their views are summarised in this report.

But more importantly, Vodafone have chosen not to publish statistics about the volume of their own communications data requests, as the UK government does this already:

We believe governments should be encouraged and supported in seeking to adopt this approach [publishing aggregate statistics] consistently across our countries of operation. We have therefore provided links to all aggregate statistics currently published by governments in place of our own locally held information (where disclosure is legally permissible at all) and are already engaged in discussions with the authorities in a number of countries to enhance the level of transparency through government disclosure in future.

Separately, where the authorities currently do not publish aggregate statistical information but where we believe we can lawfully publish in our own right, we have disclosed the information we hold for our own local operations.

In other words, as the UK publishes a single aggregagate Comms Data statistic, Vodafone believe they should not duplicate and confuse the picture.

For the UK, Vodafone state:

[Note 1] Section 19 of the Regulation of Investigatory Powers Act 2000 prohibits disclosing the existence of any lawful interception warrant and the existence of any requirement to provide assistance in relation to a warrant. This duty of secrecy extends to all matters relating to warranted lawful interception. Data relating to lawful interception warrants cannot be published. Accordingly, to publish aggregate statistics would be to disclose the existence of one or more lawful interception warrants.

{Note 2] The Interception of Communications Commissioner’s Office publishes statistical information related to lawful interception and communications data demands issued by agencies and authorities.

It is not clear whether it is Vodafone’s interpretation of RIPA, or the government’s that it is really true that “to publish aggregate statistics would be to disclose the existence of one or more lawful interception warrants” and violate Section 19 of RIPA. 

We do not agree with Vodafone that it could be confusing to publish their own figures for requests. It is, we believe, important for everyone to be clear about the volumes and kind of requests they are getting, including the errors and rejections of requests that that are made. Showing that both companies and governments are roughly in agreement about what is happening helps us understand the bigger picture of law enforcement activity. The UK government has been notoriously resistant to the idea of improving transparency and will probably remain so. It is inadequate to expect them to improve without outside pressure, which means comapnies must publish what they can.

Transparency of course is not a solution to mass surveillance. It is just a precondition for a sensible debate, and re-establishing trust. At this point, it seems that the UK government is still trying to perpetuate a culture of secrecy.

UPDATE: This article has been edited to reflect Vodafone's explanation of their choice not to publish UK and other aggregate statistics set out in the report.

[Read more]


google plusdeliciousdiggfacebookgooglelinkedinstumbleupontwitteremail