Blog

Today, Google release their latest transparency report, for Youtube takedowns. It contains information about the number of government requests for terrorist or extremist content to be removed. For a number of years, the government has promoted the idea that terrorist content is in rampant circulation, and that the amount of material is so abundant that the UK police alone are taking down up to 100,000 pieces of content a year.

These referrals, to Google, Facebook and others, come from a unit hosted at the Metropolitan Police, called CTIRU, or the Counter-Terrorism Internet Referrals Unit. This unit has very minimal transparency about its work. Apart from claiming to have removed over 300,000 pieces of terrorist-related content over a number of years, it refuses to say how large its workforce or budget are, and has never defined what a piece of content is.

Google and Twitter publish separate takedown request figures for the UK that must be largely from CTIRU. The numbers are much smaller than the tens of thousands that might be expected at each platform given the CTIRU figures of around 100,000 removals a year. For instance, Google reported 683 UK government takedown requests for 2,491 items through Jan-June 2017.

Google and Twitter’s figures imply that CTIRU file perhaps 2,000-4,000 removal requests a year, for maybe 12,000 items at most, implying a statistical inflation by CTIRU of around 1,000%.

A number of CTIRU requests have been published on the takedown transparency database Lumen. These sometimes have more than one URL for takedown. However this alone does not explain the disparity.

Perhaps a ‘piece of terrorist content’ is counted as that ‘piece’ viewed by each person known to follow a terrorist account, or perhaps everything on a web page is counted as a piece of terrorist content, meaning each web page might contain a terrorist web font, terrorist Javascript and terrorist CSS file.

Nonetheless, we cannot discount the possibility that the methodologies for reporting at the companies are in some way flawed. Without further information from CTIRU, we simply don’t know whose figures are more reliable.

There are concerns that go beyond the statistics. CTIRU’s work is never reviewed by a judge, and there are no appeals to ask CTIRU to stop trying to remove a website or content. It compiles a secret list of websites to be blocked on the public estate, such as schools, departmental offices or hospitals, supplied to unstated companies via the Home Office. More or less nothing is known: except for the headline figure.

Certainly, CTIRU do not provide the same level of transparency as Google and other companies claim to be providing. 

People have tried extracting further information from CTIRU, such as the content of the blacklist, but without success. Ministers have refused to supply financial information to Parliament, citing national security. ORG is the latest group to ask for information, for a list of statistics and a list of documents; turned down on grounds of national security and crime prevention. In the case of statistics, CTIRU are currently claiming they hold no statistics other than their overall takedown figure; which if true, seems astoundingly lax from even a basic management perspective.

The methodology for calculating CTIRU’s single statistic needs to be published, because what we do know about CTIRU is meaningless without it. Potentially, Parliament and the public are be being misled; or otherwise, misreporting by Internet platforms needs to be corrected.

[Read more]

The BBFC have released their public consultation calling for views on their regulations for age verification technology for use on porn sites. Respond to the consultation today to tell them to consider privacy!

Last Monday, the BBFC released a public consultation calling for people’s views on the guidance they plan to issue to age verification providers.

Under the Digital Economy Act, websites will soon have to ensure that all UK users are above the age of 18 before allowing them to view pornographic content. As the age verification regulator, it is the BBFC’s job to dictate how these age verification systems should work.

We have written in the past about the dangers of age verification - highlighting the lack of a focus by the Government on the potential privacy concerns. That was back in 2016, and this consultation paper proves that not much has changed since then. The Government have proved their lack of interest in user privacy by appointing the BBFC an especially narrow role that allows them only to issue guidance on how tools should work practically, and does not allow them to outline any requirements for tools to meet certain privacy standards.

Somebody needs to consider privacy

The consultation document highlights something that we has been worried about for a while - that a large regulatory gap would be left in the age verification landscape, with no group being assigned to the mammoth task of ensuring that age verification systems take user privacy seriously. The BBFC are given the job of only assessing the suitability of tools for verifying user age, and the closest that the Government’s system gets to addressing privacy is by noting that the BBFC should notify the Information Commissioner's Office (ICO) when it suspects an age verification tool is not complying with data protection laws.

Merely requiring that tools comply with the relevant data protection laws does not set a particularly high bar for user privacy. This still leaves a lot of scope for users’ data to be used in ways they may not expect. Users may be incentivised to “consent” to advanced data collection and usage within long Terms of Service or Privacy Policy documents that they cannot reasonably be expected to read.

To make things worse - the ICO aren’t even taking a proactive approach to assessing AV tools themselves. They will only take an interest when the tools are referred to them as a concern by the BBFC - who have confirmed in the past that they have neither the interest, nor the expertise, to deal with data protection issues.

The Government had the chance to make privacy a core focus of the Digital Economy Act during the drafting phase but instead decided to take the dangerous and irresponsible decision of leaving the market to decide on how the tools should work. This was a bad choice, but one that could be corrected. Privacy should be brought to the forefront of concerns about how AV tools must be structured, and an oversight body should be given the task of reviewing these tools continually for compliance with good privacy practices. This could be the BBFC, but it could just as easily be another body with experience in the area.

Towards a new data protection standard?

When considering how to protect the data of people who use age verification tools, the Government should consider how immensely sensitive data becomes when it links a person’s identity to their sexual preferences and activity. This is a move that would see hacks and leaks having a disproportionate impact on the LGBT community, and on people with niche sexual interests. In the wake of the Ashley Madison data breach, the impact of the leaked data led to multiple people being driven to suicide.

Certain classes of data, such as financial data, require stronger protection than is even offered by data protection law. Cardholder data must be held to the rigorous guidelines for security specified in the Payment Card Industry Data Security Standard. This is a legally enforceable measure, and anyone who breaks it gets shut down.

When considering the severity of past data breaches, such as the Ashley Madison leak, it is easy to see that age verification data is at least as sensitive as financial data, if not more.

Similarly, email and electronic communications must meet higher legal privacy standards than general data protection because they are particularly sensitive.

Does the government really believe that detailed information about someone’s sexuality is less worth of protection than card details and emails? The DEAct suggests that this is the position they've adopted.

At ORG, we would call for the Government to amend the law as it stands to ensure that a rigorous, legally enforceable data protection, privacy and security standard is implemented - ensuring that this kind of data is held under strict rules that reduce the impact of possible future data breaches.

If you agree, and want to make sure that user privacy is prioritised - then write to the BBFC and let them know that strong privacy is a must for age verification. 

[Read more]

The EU’s draft Directive on Copyright is a massive problem. It is an attempt by the EU to reform copyright legislation - in practice it effectively involves a huge ‘censorship machine’ which would filter all uploads from people in the EU to determine if they are infringing on copyright.

It would be the largest internet filter Europe has ever seen - reading every single piece of text uploaded to the internet, and watching every video. An algorithm will decide whether what you want to post will be seen or not.

In practice, the vague wording of the draft Directive would make a huge number of online platforms uncertain about whether or not they are breaking the law. This means that many platforms are likely to err on the side of aggressive filtering rather than getting embroiled in long and extremely expensive legal battles.

Not all user-generated content sites are Google/Youtube. Many fringe culture sites, like LGBTQ+ dating apps are smaller operations that would sooner limit their users’ activities rather than risk being taken to court. Wouldn’t this homogenise the rich cultural landscape that we benefit from in the EU? Surely, in this age of fierce fighting for gender equality, we shouldn’t be allowing new laws that unfairly restrict the activities of minority groups.

Sites wishing to stay active and comply with these new regulations, could face the crippling costs of implementing the new measures, such as the cost of scanning and identifying all images or songs uploaded (very expensive content identification technology) and getting permission from the owners to host and give access to all the content. It seems to be a lose-lose scenario for sites that have enabled people all over the world to communicate and share content on this unprecedented scale.

The current system regulating copyright infringement online is a negligence-based liability regime. This means, so long as platforms take action when notified of illegal content, they can’t be held liable for it. This ‘notice and take down’ system places the responsibility of tackling infringement on rights owners and leaves platforms open for users to communicate in a free and uninhibited way. Article 13 would flip that system and place the burden of monitoring user-uploads on the platforms. Social media sites, video sharing sites and even dating sites would be liable for any unlicensed uploads on their servers.

But what prompted this new directive? The major music corporations are upset because Youtube is the biggest streaming site, but the revenue from Youtube is significantly less than other streaming services like Spotify. The trouble is, their arguments never acknowledge that Youtube isn’t just a place for streaming music, it’s a platform where you can learn pretty much any skill. Plus, Youtube provides added value to musicians by having the biggest audience (by far) and by being a video platform. Why should Youtube pay the same as Spotify when it has that extra all-important feature? I would certainly argue that current digital content ecosystems are flawed, BUT this new directive is a totally barbaric solution.

The changes pushed for by the music industry would have much broader and far more severe implications than the damages they allegedly suffer currently. Article 13 applies to ALL types of content that people upload on the internet; this means from the industry-leading content creators – the award winners, to all the empowered user-creators who create and remix in their spare time. ALL types of content also means anything protected by copyright i.e. photos, videos, podcasts, software code, articles, music recordings and so on. Everything.

Making a mental list of the sites that host any one of these types of content as uploaded by users is like trying to list all 50 states in the United States; it takes ages and you never finish because there are always some you can’t think of, but that you know exist. Innocent bystanders like Wikipedia hosting text and images, could be subjected to these new rules. Wikipedia is a not-for-profit, how can it be fair to impose these heavy burdens onto the world’s first free online information repository?

In practice, this new directive could also affect what we choose to say online. Exceptions to copyright that allow us to make limited uses of works without permission, exist for our benefit. They include research, private study, commentary, criticism, education, parody and more. Article 13 would obscure these exceptions, which stem from fundamental rights like the right to education and freedom of expression. Sound good for democracy? The fact is, an automated content filter can’t tell the difference between someone uploading for review and someone just uploading. By placing the burden of policing content on platforms, we would see them tighten their belts and over-compensate by blocking legitimate content, to protect themselves from lawsuits.

The killer is, all these risks and dangers come from a set of laws lobbied for by music honchos who mainly have it in for Youtube. But Youtube is already complying - it already has licenses with rights owners, Content ID technology in place, and usage data reports for creators. So… will the reforms even affect their newfound nemesis? It seems as though they’re pushing forward, crossing their fingers and toes in the hopes of getting a bigger slice of the Youtube pie, without giving a second thought to the collateral damage.

That’s why the Open Rights Group are asking you to write to tell your MEP to SAY NO to Article 13!

[Read more]

Facebook Tracking Exposed (FTE) is a browser extension which intends to find out - but you won't find it in the chrome store because Facebook have issued a takedown request.

Facebook don’t want you to know how their algorithm works. That will hardly be a shock to you or anyone else, but it is a serious problem. The algorithm is what Facebook uses to determine what you, or anyone else around the world, will see.

What it chooses to promote or bury has become increasingly important to our democracy. But Facebook don’t want you to know how it works.

Facebook Tracking Exposed (FTE) is a browser extension which intends to find out - it lets users compare their timeline posts against the potential chronological content, helping them to understand why some posts have been promoted, and other haven’t. It also allows comparative research, pooling data to help researchers try and reverse engineer the algorithm itself.

So far, so great - but you won’t be able to find FTE in the chrome store because Facebook have issued a takedown on the basis on the basis of an alleged trademark infringement. Facebook do not want you to know how their algorithm works - how it controls the flow of information to billions of people.

To pretend the premise of Facebook’s trademark claim is reasonable for a second (it’s not likely - the ‘Facebook’ used in the name describes the purpose of the tool rather than who made it) the question becomes - is it reasonable for Facebook to use this as an excuse to continue to obfuscate their filtering of important information?

The answer, as all of the news around Cambridge Analytica is making clear, is that it absolutely is not. People looking to understand the platform they are using would find it very difficult to find without the ‘Facebook in the name’. But then, Facebook don’t want you to know how their algorithm works.

This is easy for Facebook to fix, they could revoke their infringement claim, and start taking on some genuine accountability. There is no guarantee that FTE will be able to perfectly reveal the exact workings of the algorithm - attempts to reverse engineer proprietary algorithms are difficult, and observations will always be partial and difficult to control and validate.

That doesn’t change the fact that companies like Facebook and Google need to be transparent about the ways they filter information. The information they do or don’t show people can affect opinions, and potentially even sway elections.

We are calling on Google to reinstate the application on the Chrome store and for Facebook to withdraw their request to remove the app. But, then, Facebook don’t want you to know how their algorithm works. 

[Read more]

This blog was originally hosted on New Statesmen Tech.

In recent years, many have warned about the dangers of Facebook knowing so much about everyone’s beliefs, preferences, and attitudes. Clearly Cambridge Analytica, the advertising firm accused of harvesting 50 million Facebook users’ data without their consent, thought they were a match made in – let’s say – purgatory. But let us focus on a particular claim made today by the Secretary of State for Digital, Culture, Media, and Sport, Matt Hancock: that the companies are operating in an internet “Wild West” in which the UK government is straining to impose law and order.

[Read more]

The Data Protection Bill is meant to be a major advance for privacy – unless you are trying exercise your legal right to live in the UK. Jim Killock, Executive Director, writes about why Data Protection is vital.

The government has introduced a sweeping “immigration exemption” in Schedule 2, Paragraph 4. The exemption will remove your right to data protection if it is likely to prejudice “effective immigration control” or the “investigation or detection of activities that would undermine the maintenance of effective immigration control”. What it won’t do is ensure effective immigration control.

This immigration exemption will ensure that the Government will not need to face up to its mistakes. Currently, according to the Government’s Chief Inspector of Borders and Immigration, mistakes and administrative errors are involved in 1 out of 10 immigration cases.

What’s it like to one of those 1 in 10? You can ask any one of the hundred EU citizens, living in the UK entirely legally, who were sent letters demanding they leave or risk deportation in August last year.

Or speak to Mustafa Ali Baig. He corrected an error in an old tax return, and the Home Office marked him down as an undesirable and gave him 14 days to leave the UK. Mustafa had paid the correct amount of tax, and he has no criminal record, he is being punished for being honest.  

Mustafa is able to challenge these Home Office mistakes, because he had the right to check the data the Government had on him, and is taking them to court. He was able to find out why the Government considered him undesirable. If the Government has its way, and Parliament make this exemption law, that won’t be an option in the future. 

The Government’s creation of a so-called ‘hostile environment’ for immigrants exacerbates all these concerns. From your patient records to your local food bank, the sheer amount of data that will now be subject to these checks is unfathomable. The Government has already set out plans to check through 70 million bank accounts to make sure the account holders are in the UK legally, and freeze the funds if not. The Government’s historic incompetence combined with a new inability for people to fact check them means that mistakes that get made could take years to sort out, causing untold damage and misery.

This exemption removes the obligation on the Government to process personal information fairly and transparently and would severely undermine important rights for millions of people living in the UK. 

The Data Protection Bill is supposed to protect your data, but this immigration exemption ensures it will do anything but. It is vital that MPs take action, and ensure Schedule 2, Paragraph 4 never receives Royal Assent.

[Read more]

No one said protecting the digital world was going to be easy (or cheap)!

The history of internet regulation is littered with foolish, dangerous proposals made by ignorant and/or self-serving lawmakers who treated the digital world as a kind of unimportant sideshow, regulating the net as though it were a mere pornography distribution system, or a video-on-demand service, or a jihadi recruiting tool.

That lack of gravitas and joined-up thinking leads policymakers into traps, where mass surveillance arrives by means of copyright proposals, where censorship creeps in through anti-terrorism laws, where every human right we have is undermined by ill-starred plans to fight terrorism, or bullying, or nebulously defined moral turpitude.

Since its founding in 2005, ORG has led the fight to join up the dots between all these issues, organising its supporters across the UK to put pressure on firms and officials to treat the internet with the gravitas befitting the subject, and to tread lightly when determining the course of the electronic nervous system of the 21st century.

Pressure only goes so far. Even as the idea that breaking the digital world also breaks the "real world" has gained currency in wider society, Britain's policy debt of foolish rules continues to accrue interest, snaring innocents in legal jeopardy and teeing up legal action whose precedents will redound on all of us for the rest of our lives and even the lives of our children.

That's why ORG is increasingly involved in courtroom battles alongside our fights in the public sphere. We've brought actions over web-blocking, the Snooper's Charter and mass surveillance, arguing before the highest courts in the UK and the EU, and we've got more challenges pending over the government's plan to assemble a giant database of the nation's porn-viewing habits through a misbegotten and ineffective "age-verification scheme."

These challenges don't come cheap: they require sustained legal attention from the most skilled legal minds, backed by huge support teams of legal assistants. There are plenty of groups that do this work, but none fills the niche that ORG occupies. ORG is unique in bringing both legal and technical expertise to these fights, able to join up the thinking of our allies from human rights, privacy, anti-censorship and other campaigning organisations, helping build coalitions that cut across these disciplines, finding common cause and surfacing the underlying issues in all the good works our allies do.

That's why we're seeking to sign up 500 new members: these sustaining donors will provide us with the sound financial basis on which to retain and support legal experts to represent us in these fights, and speak for long-term, sustainable internet policies that do justice to that one wire that delivers free speech, a free press, free association, access to civic and political life, to education and employment, to family and creativity.

If you're not already a member, join ORG today!

[Read more]

We are pleased to announce that Christi Scarborough, Brian Parkinson and Tom de Grunwald have been elected to the Open Rights Group Board of Directors. They are elected for a three year term by our members.

The full results are in the linked documents (report, results, details). Thanks also go to the other candidates, Oliver Spall and Mary Black, whose participation meant that we had a contested election with a set of very talented and interesting candidates.

We would also like to give our thanks to Ben Laurie, Maria Farrell and Milena Popova who are stepping down.

We would also like to thank Electoral Reform Services for conducting the election smoothly and professionally.

Our Board has nine members, elected or selected in three groups. At the end of 2018, our Advisory Council and former advisors will be asked to elect three further board members; and in late 2019 an open recruitment process will select three more.

[Read more]