Blog

The BBFC have released their public consultation calling for views on their regulations for age verification technology for use on porn sites. Respond to the consultation today to tell them to consider privacy!

Last Monday, the BBFC released a public consultation calling for people’s views on the guidance they plan to issue to age verification providers.

Under the Digital Economy Act, websites will soon have to ensure that all UK users are above the age of 18 before allowing them to view pornographic content. As the age verification regulator, it is the BBFC’s job to dictate how these age verification systems should work.

We have written in the past about the dangers of age verification - highlighting the lack of a focus by the Government on the potential privacy concerns. That was back in 2016, and this consultation paper proves that not much has changed since then. The Government have proved their lack of interest in user privacy by appointing the BBFC an especially narrow role that allows them only to issue guidance on how tools should work practically, and does not allow them to outline any requirements for tools to meet certain privacy standards.

Somebody needs to consider privacy

The consultation document highlights something that we has been worried about for a while - that a large regulatory gap would be left in the age verification landscape, with no group being assigned to the mammoth task of ensuring that age verification systems take user privacy seriously. The BBFC are given the job of only assessing the suitability of tools for verifying user age, and the closest that the Government’s system gets to addressing privacy is by noting that the BBFC should notify the Information Commissioner's Office (ICO) when it suspects an age verification tool is not complying with data protection laws.

Merely requiring that tools comply with the relevant data protection laws does not set a particularly high bar for user privacy. This still leaves a lot of scope for users’ data to be used in ways they may not expect. Users may be incentivised to “consent” to advanced data collection and usage within long Terms of Service or Privacy Policy documents that they cannot reasonably be expected to read.

To make things worse - the ICO aren’t even taking a proactive approach to assessing AV tools themselves. They will only take an interest when the tools are referred to them as a concern by the BBFC - who have confirmed in the past that they have neither the interest, nor the expertise, to deal with data protection issues.

The Government had the chance to make privacy a core focus of the Digital Economy Act during the drafting phase but instead decided to take the dangerous and irresponsible decision of leaving the market to decide on how the tools should work. This was a bad choice, but one that could be corrected. Privacy should be brought to the forefront of concerns about how AV tools must be structured, and an oversight body should be given the task of reviewing these tools continually for compliance with good privacy practices. This could be the BBFC, but it could just as easily be another body with experience in the area.

Towards a new data protection standard?

When considering how to protect the data of people who use age verification tools, the Government should consider how immensely sensitive data becomes when it links a person’s identity to their sexual preferences and activity. This is a move that would see hacks and leaks having a disproportionate impact on the LGBT community, and on people with niche sexual interests. In the wake of the Ashley Madison data breach, the impact of the leaked data led to multiple people being driven to suicide.

Certain classes of data, such as financial data, require stronger protection than is even offered by data protection law. Cardholder data must be held to the rigorous guidelines for security specified in the Payment Card Industry Data Security Standard. This is a legally enforceable measure, and anyone who breaks it gets shut down.

When considering the severity of past data breaches, such as the Ashley Madison leak, it is easy to see that age verification data is at least as sensitive as financial data, if not more.

Similarly, email and electronic communications must meet higher legal privacy standards than general data protection because they are particularly sensitive.

Does the government really believe that detailed information about someone’s sexuality is less worth of protection than card details and emails? The DEAct suggests that this is the position they've adopted.

At ORG, we would call for the Government to amend the law as it stands to ensure that a rigorous, legally enforceable data protection, privacy and security standard is implemented - ensuring that this kind of data is held under strict rules that reduce the impact of possible future data breaches.

If you agree, and want to make sure that user privacy is prioritised - then write to the BBFC and let them know that strong privacy is a must for age verification. 

[Read more]

The EU’s draft Directive on Copyright is a massive problem. It is an attempt by the EU to reform copyright legislation - in practice it effectively involves a huge ‘censorship machine’ which would filter all uploads from people in the EU to determine if they are infringing on copyright.

It would be the largest internet filter Europe has ever seen - reading every single piece of text uploaded to the internet, and watching every video. An algorithm will decide whether what you want to post will be seen or not.

In practice, the vague wording of the draft Directive would make a huge number of online platforms uncertain about whether or not they are breaking the law. This means that many platforms are likely to err on the side of aggressive filtering rather than getting embroiled in long and extremely expensive legal battles.

Not all user-generated content sites are Google/Youtube. Many fringe culture sites, like LGBTQ+ dating apps are smaller operations that would sooner limit their users’ activities rather than risk being taken to court. Wouldn’t this homogenise the rich cultural landscape that we benefit from in the EU? Surely, in this age of fierce fighting for gender equality, we shouldn’t be allowing new laws that unfairly restrict the activities of minority groups.

Sites wishing to stay active and comply with these new regulations, could face the crippling costs of implementing the new measures, such as the cost of scanning and identifying all images or songs uploaded (very expensive content identification technology) and getting permission from the owners to host and give access to all the content. It seems to be a lose-lose scenario for sites that have enabled people all over the world to communicate and share content on this unprecedented scale.

The current system regulating copyright infringement online is a negligence-based liability regime. This means, so long as platforms take action when notified of illegal content, they can’t be held liable for it. This ‘notice and take down’ system places the responsibility of tackling infringement on rights owners and leaves platforms open for users to communicate in a free and uninhibited way. Article 13 would flip that system and place the burden of monitoring user-uploads on the platforms. Social media sites, video sharing sites and even dating sites would be liable for any unlicensed uploads on their servers.

But what prompted this new directive? The major music corporations are upset because Youtube is the biggest streaming site, but the revenue from Youtube is significantly less than other streaming services like Spotify. The trouble is, their arguments never acknowledge that Youtube isn’t just a place for streaming music, it’s a platform where you can learn pretty much any skill. Plus, Youtube provides added value to musicians by having the biggest audience (by far) and by being a video platform. Why should Youtube pay the same as Spotify when it has that extra all-important feature? I would certainly argue that current digital content ecosystems are flawed, BUT this new directive is a totally barbaric solution.

The changes pushed for by the music industry would have much broader and far more severe implications than the damages they allegedly suffer currently. Article 13 applies to ALL types of content that people upload on the internet; this means from the industry-leading content creators – the award winners, to all the empowered user-creators who create and remix in their spare time. ALL types of content also means anything protected by copyright i.e. photos, videos, podcasts, software code, articles, music recordings and so on. Everything.

Making a mental list of the sites that host any one of these types of content as uploaded by users is like trying to list all 50 states in the United States; it takes ages and you never finish because there are always some you can’t think of, but that you know exist. Innocent bystanders like Wikipedia hosting text and images, could be subjected to these new rules. Wikipedia is a not-for-profit, how can it be fair to impose these heavy burdens onto the world’s first free online information repository?

In practice, this new directive could also affect what we choose to say online. Exceptions to copyright that allow us to make limited uses of works without permission, exist for our benefit. They include research, private study, commentary, criticism, education, parody and more. Article 13 would obscure these exceptions, which stem from fundamental rights like the right to education and freedom of expression. Sound good for democracy? The fact is, an automated content filter can’t tell the difference between someone uploading for review and someone just uploading. By placing the burden of policing content on platforms, we would see them tighten their belts and over-compensate by blocking legitimate content, to protect themselves from lawsuits.

The killer is, all these risks and dangers come from a set of laws lobbied for by music honchos who mainly have it in for Youtube. But Youtube is already complying - it already has licenses with rights owners, Content ID technology in place, and usage data reports for creators. So… will the reforms even affect their newfound nemesis? It seems as though they’re pushing forward, crossing their fingers and toes in the hopes of getting a bigger slice of the Youtube pie, without giving a second thought to the collateral damage.

That’s why the Open Rights Group are asking you to write to tell your MEP to SAY NO to Article 13!

[Read more]

Facebook Tracking Exposed (FTE) is a browser extension which intends to find out - but you won't find it in the chrome store because Facebook have issued a takedown request.

Facebook don’t want you to know how their algorithm works. That will hardly be a shock to you or anyone else, but it is a serious problem. The algorithm is what Facebook uses to determine what you, or anyone else around the world, will see.

What it chooses to promote or bury has become increasingly important to our democracy. But Facebook don’t want you to know how it works.

Facebook Tracking Exposed (FTE) is a browser extension which intends to find out - it lets users compare their timeline posts against the potential chronological content, helping them to understand why some posts have been promoted, and other haven’t. It also allows comparative research, pooling data to help researchers try and reverse engineer the algorithm itself.

So far, so great - but you won’t be able to find FTE in the chrome store because Facebook have issued a takedown on the basis on the basis of an alleged trademark infringement. Facebook do not want you to know how their algorithm works - how it controls the flow of information to billions of people.

To pretend the premise of Facebook’s trademark claim is reasonable for a second (it’s not likely - the ‘Facebook’ used in the name describes the purpose of the tool rather than who made it) the question becomes - is it reasonable for Facebook to use this as an excuse to continue to obfuscate their filtering of important information?

The answer, as all of the news around Cambridge Analytica is making clear, is that it absolutely is not. People looking to understand the platform they are using would find it very difficult to find without the ‘Facebook in the name’. But then, Facebook don’t want you to know how their algorithm works.

This is easy for Facebook to fix, they could revoke their infringement claim, and start taking on some genuine accountability. There is no guarantee that FTE will be able to perfectly reveal the exact workings of the algorithm - attempts to reverse engineer proprietary algorithms are difficult, and observations will always be partial and difficult to control and validate.

That doesn’t change the fact that companies like Facebook and Google need to be transparent about the ways they filter information. The information they do or don’t show people can affect opinions, and potentially even sway elections.

We are calling on Google to reinstate the application on the Chrome store and for Facebook to withdraw their request to remove the app. But, then, Facebook don’t want you to know how their algorithm works. 

[Read more]

This blog was originally hosted on New Statesmen Tech.

In recent years, many have warned about the dangers of Facebook knowing so much about everyone’s beliefs, preferences, and attitudes. Clearly Cambridge Analytica, the advertising firm accused of harvesting 50 million Facebook users’ data without their consent, thought they were a match made in – let’s say – purgatory. But let us focus on a particular claim made today by the Secretary of State for Digital, Culture, Media, and Sport, Matt Hancock: that the companies are operating in an internet “Wild West” in which the UK government is straining to impose law and order.

[Read more]

The Data Protection Bill is meant to be a major advance for privacy – unless you are trying exercise your legal right to live in the UK. Jim Killock, Executive Director, writes about why Data Protection is vital.

The government has introduced a sweeping “immigration exemption” in Schedule 2, Paragraph 4. The exemption will remove your right to data protection if it is likely to prejudice “effective immigration control” or the “investigation or detection of activities that would undermine the maintenance of effective immigration control”. What it won’t do is ensure effective immigration control.

This immigration exemption will ensure that the Government will not need to face up to its mistakes. Currently, according to the Government’s Chief Inspector of Borders and Immigration, mistakes and administrative errors are involved in 1 out of 10 immigration cases.

What’s it like to one of those 1 in 10? You can ask any one of the hundred EU citizens, living in the UK entirely legally, who were sent letters demanding they leave or risk deportation in August last year.

Or speak to Mustafa Ali Baig. He corrected an error in an old tax return, and the Home Office marked him down as an undesirable and gave him 14 days to leave the UK. Mustafa had paid the correct amount of tax, and he has no criminal record, he is being punished for being honest.  

Mustafa is able to challenge these Home Office mistakes, because he had the right to check the data the Government had on him, and is taking them to court. He was able to find out why the Government considered him undesirable. If the Government has its way, and Parliament make this exemption law, that won’t be an option in the future. 

The Government’s creation of a so-called ‘hostile environment’ for immigrants exacerbates all these concerns. From your patient records to your local food bank, the sheer amount of data that will now be subject to these checks is unfathomable. The Government has already set out plans to check through 70 million bank accounts to make sure the account holders are in the UK legally, and freeze the funds if not. The Government’s historic incompetence combined with a new inability for people to fact check them means that mistakes that get made could take years to sort out, causing untold damage and misery.

This exemption removes the obligation on the Government to process personal information fairly and transparently and would severely undermine important rights for millions of people living in the UK. 

The Data Protection Bill is supposed to protect your data, but this immigration exemption ensures it will do anything but. It is vital that MPs take action, and ensure Schedule 2, Paragraph 4 never receives Royal Assent.

[Read more]

No one said protecting the digital world was going to be easy (or cheap)!

The history of internet regulation is littered with foolish, dangerous proposals made by ignorant and/or self-serving lawmakers who treated the digital world as a kind of unimportant sideshow, regulating the net as though it were a mere pornography distribution system, or a video-on-demand service, or a jihadi recruiting tool.

That lack of gravitas and joined-up thinking leads policymakers into traps, where mass surveillance arrives by means of copyright proposals, where censorship creeps in through anti-terrorism laws, where every human right we have is undermined by ill-starred plans to fight terrorism, or bullying, or nebulously defined moral turpitude.

Since its founding in 2005, ORG has led the fight to join up the dots between all these issues, organising its supporters across the UK to put pressure on firms and officials to treat the internet with the gravitas befitting the subject, and to tread lightly when determining the course of the electronic nervous system of the 21st century.

Pressure only goes so far. Even as the idea that breaking the digital world also breaks the "real world" has gained currency in wider society, Britain's policy debt of foolish rules continues to accrue interest, snaring innocents in legal jeopardy and teeing up legal action whose precedents will redound on all of us for the rest of our lives and even the lives of our children.

That's why ORG is increasingly involved in courtroom battles alongside our fights in the public sphere. We've brought actions over web-blocking, the Snooper's Charter and mass surveillance, arguing before the highest courts in the UK and the EU, and we've got more challenges pending over the government's plan to assemble a giant database of the nation's porn-viewing habits through a misbegotten and ineffective "age-verification scheme."

These challenges don't come cheap: they require sustained legal attention from the most skilled legal minds, backed by huge support teams of legal assistants. There are plenty of groups that do this work, but none fills the niche that ORG occupies. ORG is unique in bringing both legal and technical expertise to these fights, able to join up the thinking of our allies from human rights, privacy, anti-censorship and other campaigning organisations, helping build coalitions that cut across these disciplines, finding common cause and surfacing the underlying issues in all the good works our allies do.

That's why we're seeking to sign up 500 new members: these sustaining donors will provide us with the sound financial basis on which to retain and support legal experts to represent us in these fights, and speak for long-term, sustainable internet policies that do justice to that one wire that delivers free speech, a free press, free association, access to civic and political life, to education and employment, to family and creativity.

If you're not already a member, join ORG today!

[Read more]

We are pleased to announce that Christi Scarborough, Brian Parkinson and Tom de Grunwald have been elected to the Open Rights Group Board of Directors. They are elected for a three year term by our members.

The full results are in the linked documents (report, results, details). Thanks also go to the other candidates, Oliver Spall and Mary Black, whose participation meant that we had a contested election with a set of very talented and interesting candidates.

We would also like to give our thanks to Ben Laurie, Maria Farrell and Milena Popova who are stepping down.

We would also like to thank Electoral Reform Services for conducting the election smoothly and professionally.

Our Board has nine members, elected or selected in three groups. At the end of 2018, our Advisory Council and former advisors will be asked to elect three further board members; and in late 2019 an open recruitment process will select three more.

[Read more]

Can extremist material be identified at 99.99% certainty as Amber Rudd claims today? And how does she intend to ensure that there is legal accountability for content removal?

The Government is very keen to ensure that extremist material is removed from private platforms, like Facebook, Twitter and Youtube. It has urged use of machine learning and algorithmic identification by the companies, and threatened fines for failing to remove content swiftly.

Today Amber Rudd claims to have developed a tool to identify extremist content, based on a database of known material. Such tools can have a role to play in identifying unwanted material, but we need to understand that there are some important caveats to what these tools are doing, with implications about how they are used, particularly around accountability. We list these below.

Before we proceed, we should also recognise that this is often about computers (bots) posting vast volumes of material with a very small audience. Amber Rudd’s new machine may then potentially clean some of it up. It is in many ways a propaganda battle between extremists claiming to be internet savvy and exaggerating their impact, while our own government claims that they are going to clean up the internet. Both sides benefit from the apparent conflict.

The real world impact of all this activity may not be as great as is being claimed. We should be given much more information about what exactly is being posted and removed. For instance the UK police remove over 100,000 pieces of extremist content by notice to companies: we currently get just this headline figure only. We know nothing more about these takedowns. They might have never been viewed, except by the police, or they might have been very influential.

The results of the government's’ campaign to remove extremist material may be to push them towards more private or censor-proof platforms. That may impact the ability of the authorities to surveil criminals and to remove material in the future. We may regret chasing extremists off major platforms, where their activities are in full view and easily used to identify activity and actors.

Whatever the wisdom of proceeding down this path, we need to be worried about the unwanted consequences of machine takedowns. Firstly, we are pushing companies to be the judges of legal and illegal. Secondly, all systems make mistakes and require accountability for them; mistakes need to be minimised, but also rectified.

Here is our list of questions that need to be resolved.

1 What really is the accuracy of this system?

Small error rates translate into very large numbers of errors at scale. We see this with more general internet filters in the UK, where our blocked.org.uk project regularly uncovers and reports errors.

How are the accuracy rates determined? Is there any external review of its decisions?

The government appears to recognise the technology has limitations. In order to claim a high accuracy rate, they say at least 6% of extremist video content has to be missed. On large platforms that would be a great deal of material needing human review. The government’s own tool shows the limitations of their prior demands that technology “solve” this problem.

Islamic extremists are operating rather like spammers when they post their material. Just like spammers, their techniques change to avoid filtering. The system will need constant updating to keep a given level of accuracy.

2 Machines are not determining meaning

Machines can only attempt to pattern match, with the assumption that content and form imply purpose and meaning. This explains how errors can occur, particularly in missing new material.

3 Context is everything

The same content can, in different circumstances, be legal or illegal. The law defines extremist material as promoting or glorifying terrorism. This is a vague concept. The same underlying material, with small changes, can become news, satire or commentary. Machines cannot easily determine the difference.

4 The learning is only as good as the underlying material

The underlying database is used to train machines to pattern match. Therefore the quality of the initial database is very important. It is unclear how the material in the database has been deemed illegal, but it is likely that these are police determinations rather than legal ones, meaning that inaccuracies or biases in police assumptions will be repeated in any machine learning.

5 Machines are making no legal judgment

The machines are not making a legal determination. This means a company’s decision to act on what the machine says is absent of clear knowledge. At the very least, if material is “machine determined” to be illegal, the poster, and users who attempt to see the material, need to be told that a machine determination has been made.

6 Humans and courts need to be able to review complaints

Anyone who posts material must be able to get human review, and recourse to courts if necessary.

7 Whose decision is this exactly?

The government wants small companies to use the database to identify and remove material. If material is incorrectly removed, perhaps appealed, who is responsible for reviewing any mistake?

It may be too complicated for the small company. Since it is the database product making the mistake, the designers need to act to correct it so that it is less likely to be repeated elsewhere.

If the government want people to use their tool, there is a strong case that the government should review mistakes and ensure that there is an independent appeals process.

8 How do we know about errors?

Any takedown system tends towards overzealous takedowns. We hope the identification system is built for accuracy and prefers to miss material rather than remove the wrong things, however errors will often go unreported. There are strong incentives for legitimate posters of news, commentary, or satire to simply accept the removal of their content. To complain about a takedown would take serious nerve, given that you risk being flagged as a terrorist sympathiser, or perhaps having to enter formal legal proceedings.

We need a much stronger conversation about the accountability of these systems. So far, in every context, this is a question the government has ignored. If this is a fight for the rule of law and against tyranny, then we must not create arbitrary, unaccountable, extra-legal censorship systems.

[Read more]