06 April, 2017 Open Rights Group

Annual Report 2016

Company Information
Directors’ Report
Accountants’ Report
Income and Expenditure Account Balance Sheet
Notes to Financial Statements

Report of the Board of Directors for the year ended 31 October 2016

Introduction

This year was dominated by campaigning around the Investigatory Powers Act (IPA), a new and extensive surveillance law that was created in response to three independent inquiries into the Snowden revelations. The draft legislation saw the surveillance powers revealed by Snowden put into statute and extended further, giving the UK the most extreme surveillance legislation ever proposed in a democracy. Given ORG’s criticisms of mass surveillance, we were at the forefront of campaigning around this Bill.

This was a year that saw the UK vote to leave the EU, a change of Prime Minister and internal divisions and a leadership challenge within the Labour party. In addition, terrorist attacks in mainland Europe meant that campaigning around surveillance was always going to be challenging. Our core success came through a successful legal intervention in a case at the Court of Justice of the European Union. This was our first major legal success and it will help to roll back some of the extreme powers in the IPA.

Brexit also had a major impact in our work. In the immediate aftermath of the vote, we ran a seminar to identify how different approaches will affect digital rights and our work. We are continuing to work with lawyers, policymakers and civil society to ensure we are prepared for the outcome of political action in 2017.

Having completed a restructure in 2015, ORG strengthened its team with a number of key recruits, including Myles Jackman as Legal Director, Slavka Bielikova as Policy Officer and Charlie Tunmore as Supporter Officer.

ORG has a highly engaged and motivated supporter base that included around 3,000 paying members during this period. We also have around 25,000 supporters who receive our newsletters, over 30,000 Twitter followers and around 10,000 Facebook followers. Our committed supporters are key to our successful campaigning, and their interventions help us to lobby MPs and policymakers more effectively. The recruitment of a Supporter Officer in September 2016 helped to reinvigorate and increase our local groups who are at the forefront of our grassroots base.

Our supporter base helped us run two successful crowdfunding campaigns for both ORG and the Don’t Spy on Us coalition, enabling us to take our messages about the IPA to new audiences – including the public, media and politicians.

We launched a new corporate supporter membership scheme, having given careful thought on how to ensure that this in no way compromised our campaigning impartiality. During this period, we recruited nine corporate supporters.[1]

ORG worked to appeal to a wider demographic base by campaigning on broader issues than previous years. These included consumer campaigns (see section below on corporate surveillance) and campaigns on issues affecting children and young people (see Young people and schools below).

2016 statutory accounts.xlsx

[1] Our corporate supporters are listed at https://www.openrightsgroup.org/about/corporate-sponsors

Financial notes

Our work was supported by a number of foundations and trusts which are listed in full below. Some of the grants were for work we completed with the Don’t Spy on Us (DSOU) Coalition,[1] campaigning against UK mass surveillance and the Investigatory Powers Bill.

The following sums granted were spent in the period:

Joseph Rowntree Reform Trust £59,745
Open Society Foundations £49,148
Open Society Foundations for DSOU £62,841 Esmee Fairburn Foundation £9,104
Mozilla Foundation £6,900
New Ventures Foundation £5,937
Association of Progressive Communications £2,731

Gifts and donations income includes £24,233 held and spent on behalf of the DSOU coalition

Grants includes £50,000 given for the DSOU (see below), and £31,037 donated to run the Copyright 4 Creativity campaign on EU copyright, listed as expenditure in ‘Grants made’

Accounting and professional fees includes the costs of outsourced book keeping
General Campaigning and Policy Specialists includes £31,914 spent on behalf of the DSOU coalition

Our finances saw the benefits of restructuring and cost-saving measures, with lower staff costs, lower donation processing charges and rent, and book keeping outsourced as noted above. The savings allowed us to rebuild reserves, ensuring we have a sound financial base from which to campaign.

Brexit

We started the work of assessing the enormous implications for digital rights that will come from the decision to leave the EU. We ran an expert workshop in the summer to assess the immediate challenges and the likely outcomes of Brexit. We also looked at our fundraising strategy, which will need to secure new resources to deal with Brexit in the short term, and develop deeper policy resources to lobby UK institutions in the future.

Investigatory Powers Act

The draft Investigatory Powers Bill was published in November 2015. The Bill presented the first comprehensive reform of surveillance laws since 2000. It was implemented in part to attempt to provide a retrospective legal basis for many of the illegal surveillance activities described in the Snowden leaks. In addition, the Bill covered other practices uncovered since, such as the bulk access to communications data from communications service providers and many other areas such as finance and travel. The Act also provides an update and extension to data retention legislation, although this is partly on hold due to the recent CJEU ruling in the Watson/Davies case. Trying to amend the most egregious parts of this extensive piece of legislation was one of ORG’s priorities in this period.

Our Executive Director, Jim Killock, gave evidence to the Joint Committee that scrutinised the Bill and ORG also made a written submission to their consultation. Throughout the year, we worked with opposition MPs to try and introduce amendments that would improve the Bill.

[1] https://www.dontspyonus.org.uk

Policy Director, Javier Ruiz contributed extensive policy analysis to the work coordinated by the Institute of Advanced Legal Studies, University of London, which was circulated and used by MPs and other policy makers, and wrote and co-ordinated the production of extensive amendments. ORG met the Home Office in December 2015 to discuss the Bill and engaged with other policymakers in the committees. ORG presented an additional submission to the Science and Technology Committee of Parliament.

With the help of Duncan Campbell from our advisory council, ORG orchestrated and facilitated the trip by William Binney, a high profile whistleblower from the NSA, to give high impact critical evidence to the Joint Committee.

We also raised awareness with the public through media coverage, opinion pieces, social media, email campaigns and petitions. We raised £20,000 through a crowdfunder that enabled us to make a film which was viewed by over 800,000 people.[1]

Despite our best efforts, the IPB was passed and gained Royal Assent at the end of 2016. We were hindered by the following factors:

● The public, politicians and media were pre-occupied with the very immediate questions of Brexit and Donald Trump;

● The Labour party had internal problems which meant that they did not oppose the Bill in a unified way;

Terrorist attacks in Europe and an authoritarian mood to politics meant that politicians were eager to give the intelligence agencies any powers they asked for.

Dealing with a massive reform of the entire of UK surveillance laws was always going to be extremely difficult. The range of problems brought up meant that it was very difficult to get change where it was needed.

Nevertheless, the lack of concessions, combined with the relative clarity we now have from the Act, means that we are in a very good position to campaign against the many outstanding issues from a position of deep knowledge of the defects of the legal framework, for instance relating to hacking powers, data sharing, or the treatment of mass surveillance data. Positive changes to the oversight regime may also be helpful in pushing for substantive change.

ORG has raised public awareness of surveillance powers in the UK, built political connections and also laid the groundwork to challenge parts of the IPA through legal work (see below).

[1] https://www.snooperscharter.co.uk

Intervention in the case brought by Tom Watson MP about data retention

Emergency legislation to continue with data retention of Internet and phone records was brought by the UK government after the underlying EU law was declared invalid in 2014 by the Court of Justice of the European Union (CJEU).

Immediately after the UK replacement, the Data Retention and Investigatory Powers Act (DRIPA) was passed in 2014, Tom Watson and David Davis brought a judicial review to challenge it. ORG intervened alongside Privacy International to argue that DRIPA was unlawful, on the grounds that DRIPA did not comply with EU law and that the new case law from the CJEU precluded blanket retention.

Don’t Spy on Us

The Don’t Spy on Us coalition brought together the UK’s leading free speech and privacy organisations to challenge mass surveillance in the UK. As well as ORG, its executive comprised Article 19, Big Brother, English PEN, Liberty and Privacy International. There were also 12 associate members.

ORG helped coordinate the coalition’s work and secured the funding necessary to achieve it through our strong relationships with human rights trusts and foundations.
In 2016, this included:

● Delivering reports that outlined how the Investigatory Powers Act and mass surveillance should be reformed;[1]
● A high profile ‘Dictators ad’ campaign that highlighted the authoritarian proposals in the Investigatory Powers Act.[2]

DSOU achieved two of its core objectives – for there to be an independent inquiry into surveillance in light of the Snowden revelations and for greater transparency around UK surveillance. The coalition will continue on a more informal basis and act as a platform to bring together privacy, free speech and human rights activism.

[1] https://www.dontspyonus.org.uk/blog/2016/02/26/investigatory-powers-bill-how-to-make-it-fit-for- purpose/

[2] https://www.dontspyonus.org.uk/our-campaign

2016 statutory accounts.xlsx

Blocked project

In 2013, Internet Service Providers were persuaded to provide filters that would block content that is deemed to be unsuitable for under 18s. In reality, filters block wide-ranging content, including sites that are specifically designed to give help and support to young people. ORG continued to run the website blocked.org.uk[1], which allows anyone to check whether a website is blocked by the main ISPs’ filters. To date, 3.6 million sites have been tested, including all sites categorised by DMOZ. We have built a tool that will allow people to check sites according to genre and location and easily report them to ISPs for correction. The evidence gathered by this reporting tool will help us to increase transparency about the impact of filters.

We also worked with the international free speech organisation, Article 19, who modified the tool so that it could be used to monitor censored content around the world, including in Tunisia, Kenya and Brazil.

Training for journalists and NGOs

We have developed in-house expertise on digital security over the last three years. Our campaigner Ed Johnson-Williams developed digital security training for journalists and NGOs. In 2016, he delivered training to organisations including OpenDemocracy (an independent media organisation) and the Rory Peck Trust (an organisation supporting freelance journalists working in dangerous and hostile regimes). ORG’s local groups have started to deliver digital security training to members of the public around the UK.

Mobile data report

In April 2016, we published a report into how mobile phone companies are using customers’ data

without their consent,[2] covered in The Guardian .[3] This report was presented in Brussels and used to successfully intervene in the reform of the E-Privacy Directive.

We launched the report with a website that allowed people to sign up to demand that the UK’s ICO change the consent behaviour of Mobile and Wi-Fi Operators. We helped people to opt out of the collection of their location data.

Corporate surveillance

We continue to raise awareness of privacy violations by companies. For example, we were informed that Admiral Insurance were planning to offer discounts to first time drivers if an analysis of their Facebook feeds suggested that they would be safe drivers. ORG used this as an opportunity to raise awareness of why it is bad for financial decisions to be based on what we might say on social media. This could lead to decisions reinforcing biases about race, gender, religion or sexuality, and could change how people use social media.

[1] https://www.blocked.org.uk

[2] https://www.openrightsgroup.org/ourwork/reports/mobile-data

[3] https://www.theguardian.com/world/2016/apr/04/mobile-phone-users-movements-are-tracked-and- sold-for-profit

Prior to the app being launched, we made Facebook aware that it breached their policies. The result was that a huge media day generated by Admiral was dominated by discussion of privacy issues and Admiral were shown to have got it badly wrong.

Young people and schools

As well as the free speech implications of web filters, ORG regularly briefs the press on technology issues related to young people – such as digital tracking devices, surveillance in schools and schools data collection. In 2016, we joined the Against Borders for Children coalition to oppose the collection of country of birth and nationality data in schools. The Government has since dropped plans to roll this initiative out to early years and provided clearer guidance so that schools understand it is voluntary.

Digital Economy Bill (DEBill)

The DEBill had its first reading in parliament in July 2016. Jim Killock gave evidence to Joint Committee about our three areas of concern in this wide-ranging Bill:
Age verification

The Bill includes proposals to force sites publishing sexually explicit adult content to verify the age of their users with no requirements to protect their privacy. In order to force foreign websites to comply with the proposals, the Government has proposed that a regulator could instruct Internet Service Providers to block websites that fail to provide age verification. This could mean that thousands of websites containing legal content could be censored. ORG has raised awareness of the risks to free speech and privacy in the media, as well as engaging with civil servants, policy makers and politicians.

These proposals could lead to huge databases of extremely sensitive personal data which may include information on personal sexual preferences. There is no obligation for that data to be treated with additional sensitivity by websites or AV providers. In particular, we are calling for websites and AV providers to be obliged to protect users’ privacy and anonymity. This is especially important as users will be forced to use these tools if they wish to access the content.

During the course of the Bill, censorship proposals were discussed, and in fact introduced in ORG’s next financial year.

Data sharing

There are worrying proposals to make it easier to share data across government departments but also with private companies. ORG’s Policy Director, Javier Ruiz, had previously taken part in consultations over a two-year period to create safeguards for government data sharing. This enabled ORG to set the agenda for the proposals, including safeguards, limitations, trial, review, lapse of arrangements, documentation of arrangements. Unfortunately, the Government placed most of these restrictions in Codes of Practices for the Digital Economy Bill rather than on the face of the Bill itself. However, our points have been taken up by the ICO and both they and ourselves are attempting to bring stronger safeguards into the bill itself.

Copyright ten year sentences for online infringement

The ICO launched a consultation into proposals to align prison sentences for online and offline criminal copyright infringement in 2016. Unfortunately, this could capture nearly any infringing publication online, which is vastly wider than the criminal standards offline. Most copyright infringements are of course minor, such as casual file sharing or re-using copyrighted photographs on personal blogs. While these activities are often unwanted, they do not appear to us to be criminal in nature. They are currently dealt with as civil disputes rather than criminal acts. This process works and is more cost effective.

More importantly, threats that can cite criminal charges will exert a chill on small publishers and push people who receive unwarranted accusations to pay fees to copyright owners whether or not they have infringed copyright.

In 2015–16, 1,000 ORG supporters had made a submission to the ICO. The proposals were nevertheless introduced into the Digital Economy Bill and we are continuing to challenge them. The proposal would criminalise anything published online where licence fees have been unpaid, or that would create a ‘risk of loss’. This covers most online infringements including casual file sharing that is not done for financial gain. We have suggested changes to the wording of the Bill to ensure that such severe sentences are given to those guilty of serious commercial scale infringement.

EU copyright proposals and Digital Single Market

The EU published a draft Directive on Copyright in the Digital Single Market (DSM). The proposals included among others a completely new ancillary right for press publishers, similar to copyright but lasting for 20 years; and compulsory filtering of user uploads by online service providers. Both proposals have been severely criticised by copyright experts and civil rights groups.

The news publishers’ right (often called a “link tax”) would add a layer of complexity to internet regulation without bringing any benefits that could not already be achieved through existing copyright. The compulsory filters would weaken provisions around intermediary liability, and impact the exercise of users’ rights, exceptions and limitations, as automated systems fail to distinguish such cases.

ORG is part of Copyright for Creativity,[1] which campaigns for a new European approach to copyright. ORG staff travelled to Brussels to meet with MEPs and officials in March and September 2016.

We responded to the EU public consultation on the role of publishers in the copyright value chain – ancillary publishers’ rights – and on the common sense ‘panorama exception’, without which photographs of skylines could be held to be illegal, in June 2016. The panorama exception was not included in the draft Directive.

[1] http://copyright4creativity.eu/

[2] https://www.openrightsgroup.org/ourwork/reports/submission-to-the-ipo-call-for-views-modernising- the-european-copyright-framework

In October 2016, ORG submitted a response[2] to the Intellectual Property Office’s called for views on the European Commission’s draft legislation to “modernise the European copyright framework”,

In April 2016, ORG also responded to the European Commission’s public consultation on the evaluation and modernisation of the legal framework for the enforcement of intellectual property rights (IPRED).

In February 2016, ORG responded to a consultation by the European Commission on cross-border content portability. This considered whether people from the UK and other EU states should be able to access the same services they have subscribed to at home when they are travelling elsewhere in the EU.

We are in a wrong-headed world where imbalanced laws drive vast sums of money to be spent building technical mechanisms that treat every human being as an enemy to be constrained rather than a licence fee payer trying to catch up on EastEnders while on holiday.

In November 2015, Javier Ruiz participated the conference CopyCamp in Warsaw, for Poland, as well as in the concurrent School of Copyright, organised by EDRI.

Barcelona project

In the autumn of 2016, Javier Ruiz was brought into an external strategic consultancy team to help with the inception of the Spanish city’s Digital Transformation Strategy around the theme of Digital Sovereignty. This was a revenue generating activity for ORG, but also a way of helping European partners who needed an organisation with no direct interest to help them think through digital rights best practice.

Javier drafted a Technology Code of Practice for the city that included principles for a new deal on data based on ethics and citizen control, open technologies and an agile approach to development and procurement. Javier also worked with local officials to prepare a plan for extensive implementation of open source technologies in the municipality.

Data Protection

The UK government prepares to implement the EU General Data Protection Regulation before May 2018. ORG has engaged with the officials in charge, including face to face meetings, to ensure the UK maintains high levels of protection that ensure the future UK regime is fully compatible with the EU.

ORG is also working with other civil society groups to campaign for privacy organisations to be given the right to take cases to the regulator without the need to be instructed by individuals directly affected. This is an option in the EU GDPR but perceived as critical by rights groups to enforce privacy in increasingly complex data ecosystems.

In February 2016, Javier Ruiz participated in an expert seminar in Berlin on Open Data and Privacy, organised by Stiftung Neue Verantwortung (SNV), a “think tank that develops concrete ideas as to how German politics can shape technological change in society, the economy and the state”.[1]

Scotland

Our part-time Scotland Officer left ORG in November 2015. We delayed rehiring our Scotland Officer until the following financial year in order to hire at a more senior level with a larger salary and longer hours. We continued to work on devolved issues including the highly concerning Scottish ID system.

Local Groups

Our local groups worked on the Investigatory Powers Bill and other issues. We appointed our new Supporter Officer in 2016, in order to further build up local group activity, with immediate success. We had at the time 10 local groups[2] in many major cities, including London, Birmingham, Cambridge, Manchester, Bristol, and Aberdeen, holding regular meetings, Cryptoparties[3] and campaign events. We are looking towards much more local activity including outreach to other campaign organisations and MPs in 2017–18.

[1] https://www.stiftung-nv.de/about-us
[2] https://www.openrightsgroup.org/groups/ [3] https://en.wikipedia.org/wiki/CryptoParty

By order of the Board

James Cronin, Director

Accountants’ Report to the Directors of Open Rights

You consider that the company is exempt from audit for the year ended 31 October 2016. You have acknowledged, on the balance sheet, your responsibilities for complying with the requirements of the Companies Act 2006 with respect to accounting records and the preparation of the accounts. These responsibilities include preparing accounts that give a true and fair view of the state of affairs of the company at the end of the financial year and its profit or loss for the financial year.

In accordance with your instructions, we have prepared the accounts which comprise the Profit and Loss Account, the Balance Sheet and the related notes from the accounting records of the company and on the basis of information and explanations you have given to us.

The accounting records and explanations provided appear to be reasonable, however we have not carried out an audit or any other review, and consequently we do not express any opinion on these accounts.

Urban Ledgers Limited

14 Thornhill Square London

1 Accounting Policies

Basis of preparation of financial statements

The accounts have been prepared under the historical cost convention and in accordance with the Financial Reporting Standard for Smaller Entities (effective

2 Surplus income and the Accumulated Fund
As a not for profit company, all income is dedicated to its object of raising general awareness of digital rights matters and is credited to an accumulated fund to be used for future projects. As a company limited by guarantee and without share capital, income cannot be distributed to shareholders.

3 Corporation Tax
It is our understanding that corporation tax is not payable by Open Rights as it is a not for profit company.

4 Supporter Donations
Regular supporter donations are treated on a cash basis, i.e. are treated as pertaining to the month in which they are received.

5 Tangible Fixed Assets
Depreciation has been provided at the following rates in order to write off the assets over their useful economic lives:

Equipment 25% straight line

6 Staff Loans
Staff loans are extended typically for the purchase of season tickets, and are repaid by equal deductions from the employees’ salaries.