August 05, 2015 | Jim Killock and Maxine Chng

Should file sharers face ten years in gaol?

New proposals to make online copyright infringement a criminal offence risks punishing users who share links and files online more harshly than ordinary, physical theft.

The IPO has recently started consultation on proposals to increase the maximum prison sentence for criminal online copyright infringement to 10 years, aiming to match sanctions for online copyright infringement with physical copyright infringement. The rationale behind this is that similar offences should attract similar penalties, regardless of the platform used in committing the crime.

Although ORG agrees with IPO's rationale that the online environment should not confer less protection, IPO's proposals are problematic. The existing offence is outlined in section 107 of the Copyright Designs and Patents Act. It can be brought against both criminals who deliberately infringe copyright by operating filesharing services and also against people who share links and files without the intention or knowledge that it would actually prejudice the copyright owner.

The IPO is suggesting that people can be sentenced for up to ten years for online copyright infringement that “affects prejudicially” a copyright holder. While this may sometimes be appropriate, the underlying offence is very broad, and requires no intent on the part of the offender. There is no separation in the offence between different kinds of infringement, which opens the possibility of non-literal copying, such as excessive quotation or incidental use, being the subject of these offences. 

We are particularly worried that this could lead to heavy handed punishments for individuals who are sharing files, who may have no intent to harm or cause damage. While such people should be seen as committing a civil offence, they should face more appropriate punishments. By means of comparison, ten years gaol is longer than the maximum penalty of seven years for physical theft, which requires actual intent.

Commercial infringements “In the course of a business” can be much more reasonably targeted by harsher sentences, but here too there are risks as there is no easy way to distinguish between a legitimate business making mistakes and one seeking to abuse the copyright of others for profit.

In all cases, there is scope for exaggeration and misconception of the scale of damage being created. Online infringement is hard to estimate and damages are often assumed to be much higher than in cases of physical infringement. It is therefore much easier for an individual to appear to be “affecting prejudicially” the business interests of another, and find themselves accused of committing a criminal offence with a very long possible gaol sentence. This is inappropriate.

Anne Muir's case from 2011 illustrates exactly the dangers of parity as proposed by IPO. She admitted to distributing copyrighted music files worth up to £54,000 using a filesharing application. Lawyers claimed that she uploaded files to build her self-esteem. She did not financially gain: while she certainly sounds misguided it seems unlikely that she should be regarded as a hardened criminal.

There are already criminal sentencing options that are tough enough to deal with organised online copyright infringers. The Federation Against Copyright Theft has on previous occasions carried out private prosecutions under the Criminal Justice Act 1987's common law conspiracy to defraud. This offence fetches a maximum sentence of 10 years – the same as physical copyright infringement. It is also not difficult to obtain conviction for conspiracy to defraud under Fraud Act 2006. All that must be proved is false representation, a failure to disclose information or abuse of position. Intention to defraud is not at all required.

For example, in 2012, Anton Vickerman was sentenced to 4 years imprisonment for allegedly causing losses of up to £198 million. He had been operating an illegal streaming website called "SurfTheChannel". Compare this with the defendant in R v Hatton (2008), who was sentenced to 18 months imprisonment for pirating 20,000 DVDs.

People committing crimes should be punished, and copyright should be supported by enforcement. However, copyright should be subject to the same kinds of standards as other crimes. As this offence stands, it is much stricter and harsher than other kinds of crimes, and therefore risks bringing copyright into disrepute should individuals be prosecuted and threatened with long gaol sentences for non-commercial misdemeanours. We are therefore asking for the sentence to be left as it stands.

The offence itself, to infringe "otherwise than in course of a business to such an extent as to affect prejudically the owner of the copyright" needs to be removed or modified to exclude non-commercial infringers, or introduce notions of intent to harm alongside qualifications to measure the kind of harm being targeted. Once this is done, longer setences targeted at commercial infringers may be justified.

The IPO's consultation closes on 17 August 2015, 11.45pm. You can respond by using our online form


[Read more] (3 comments)

July 28, 2015 | Maxine Chng

Answers needed from the Copyright Police

The City of London Police's Intellectual Property Crime Unit (PIPCU) has been the subject of controversy following take-down notices sent to overseas domain registrars. We believe they need to strengthen their commitments to due process, independence and transparency.

The City of London Police's Intellectual Property Crime Unit (PIPCU) first became operational in 2013. According to PIPCU's website, the unit is aimed at tackling serious and organised IP crime committed using an online platform. The unit is publicly funded by the Intellectual Property Office.

A few months into PIPCU's operation, there was an international controversy regarding easyDNS. PIPCU had sent notices to the Canadian-based domain registrar, requesting them to take down an alleged copyright infringing website, but without court orders. easyDNS refused to comply and had even initiated a Transfer Dispute Resolution Process against another registrar who complied with PIPCU's request and refused to allow three of its domains to transfer away to easyDNS. The National Arbitration Forum decided in favour of easyDNS, recognising that allowing a registrar to withhold transfer based simply on a law enforcement agency's suspicion and without judicial intervention gives way to potential for abuse.

PIPCU also runs Operation Creative: a partnership with UK's advertising industry and rights holders, formed to prevent websites from providing unauthorised access to copyrighted material. Specifically, Operation Creative seeks to disrupt their ad revenue streams.

Because of public concerns, ORG started corresponding with PIPCU in December 2013, asking for clarification on several matters:

Due process
PIPCU has been making take-down requests without a court order. This sidesteps the legal safeguard of due process which requires the state to respect all individual rights. The authority to compel the take-down of websites is a significant power because it censors the internet. It decides what kind of information people may provide or receive. A court order is necessary to ensure that these decisions have not been made arbitrarily and to check that the party carrying out these requests have the proper legal basis to do so.

PIPCU claims that its operations are fully independent. However, this may be threatened in relation to Operation Creative. As part of this operation, private right holders are able to influence PIPCU's activities by identifying and reporting the alleged copyright infringing sites to PIPCU. PIPCU then takes action, sending take-down requests to domain registrars. These registrars are then requested to redirect the IP address of these websites to a notice displaying links to paid commercial alternatives. This situation is concerning because Operation Creative's members are able to enjoy greater market power compared with businesses that are not involved in PIPCU's partnership initiative. It is puzzling why certain businesses should receive free advertising.

Although the officers from PIPCU will evaluate the strength of the evidence reported against the websites, it is unclear what guidelines advise PIPCU's decisions. PIPCU has told ORG that sites must have satisfied the criminal standard of proof in order for action to be taken, but this is a technical legal concept which is unclear to the public. Instead, it is necessary to publish clear criteria which are easily accessible by the public, especially since the same infringing activities are capable of being treated either as criminal or civil.

Also, PIPCU currently does not publish its Infringing Website List, but shares it amongst Operation Creative members only. We think that the public should not be kept in the dark about decisions that detrimentally affect the type of information they are able to share and receive.

We have written to Commander Head of PIPCU, stressing these concerns. Our series of correspondence can be read here:

[Read more] (1 comments)

July 22, 2015 | Maxine Chng

UK Court rules DRIPA unlawful

Last week, the High Court ruled that the Data Retention and Investigatory Powers Act 2014 (DRIPA) was inconsistent with EU law.

The successful judicial review was brought by Liberty, represented by David Davis MP and Tom Watson MP, with ORG and PI acting as intervenors.

The case was originally presented as a human rights challenge, but the central questions that were examined in court concentrated on whether or not the powers conferred by DRIPA were compatible with EU law. These were questions that ORG brought to the court. In answering this question, Lord Justice Bean and Mr Justice Collins confirmed that EU law, as set out by the Court of Justice of the EU in the case Digital Rights Ireland (DRI), is indeed applicable to UK law.

The High Court ultimately found that DRIPA was incompatible with EU law and referred to two Court criteria laid down by the CJEU in the DRI judgment. Firstly, DRIPA failed to provide clear and precise rules regarding the access to and use of the retained communications data. Secondly, DRIPA does not make prior review by a court or an independent administrative body a mandatory requirement for access to the retained data.

Although it is now clear that the DRI judgment applies to UK law, not all of the CJEU's demands have been accepted by the UK courts. One of the remaining issues is that the retention of data should be restricted to a particular time period, geographical area and/or persons. However, the High Court thought that such a restriction would be completely impractical. According to the High Court:

“The CJEU cannot have meant that CSPs [communication service providers] can only lawfully be required to retain the communications data of “suspects or persons whose data would contribute to the prevention, detection or prosecution of serious criminal offences”. Such a restriction would be wholly impracticable. Rather the Court must be understood to have held that a general retention regime is unlawful unless it is accompanied by an access regime which has sufficiently stringent safeguards to protect citizens’ rights set out in Articles 7 and 8 of the Charter.”

This makes way for general retention practices which may be over-broad. We should note that the CJEU in DRI was specifically concerned about the proportionality of any interference with the rights guaranteed under the Charter. It is difficult to see how such general retention powers can be proportional, given that they affect even persons for whom no evidence exist to suggest their involvement in serious crime.

The High Court ruled that a general retention regime must be accompanied by an access regime, whereby there must be prior review by a court or an independent administrative body.

An access regime is necessary to ensure that the access to and use of such data is strictly restricted for the purposes such as national security, defence and public security. However, an over-broad data retention practice may not be counteracted simply with a narrower access regime. This is because broad retention practices create a large pool of personal information that can still be preyed upon by those who are not authorised to access it. Data retention in a generalised manner also creates a chilling effect, capable of undermining the freedom to information as users' distrust of the internet as a means of communication grows.

The High Court has also opened the question of UK's authorisation regime for data requests. The CJEU judgment requires independent prior review for access to retained data. This judgment does not address personal data held by telecoms companies for business purposes or with consent from users. The access regime for personal data retained or just held is provided under RIPA, which allows for self-authorisation by the police. It would be highly impractical to run two separate access regimes for retained and other personal data. Now that the court has flagged this matter up, the Parliament has the opportunity to reconsider the access regime as a whole.

The High Court's judgment is very welcome as it asserts the supremacy of EU law which has properly considered the retention and protection of data. A similar question with regards to the general retention of data has also arisen in Sweden, with their courts asking the CJEU to clarify if:

“Retention [may] nevertheless be permitted where access by the national authorities to the retained data is determined as described below; security requirements are regulated as described below; and all relevant data are to be retained for six months … and subsequently deleted…..?”

This issue is still ongoing as the CJEU's final opinion is yet to be seen. Worryingly, the CJEU may not hear from civil society intervenors. Similarly, we can expect the UK government to appeal the decision and perhaps request a reference back to the CJEU. Meanwhile, other countries – including Belgium, the Netherlands, Germany, Austria, Bulgaria, Romania and others have removed data retention from their laws. So far, their police seem to be detecting crime without major complaints.

[Read more] (1 comments)

July 14, 2015 | Jim Killock

RUSI review adds to consensus for reform

The RUSI review offers few surprises, and has turned out to be less a trailblazer, and more an indication of what the security establishment believes the agencies might accept.

Their Panel included three former senior security staff, and RUSI are themselves very close to the UK’s defence and security apparatus. Thus the tone of the report was always likely to address the concerns of GCHQ and the Foreign Office before those of civil society. Martha Lane Fox, Ian Walden and Heather Brooke will have had a tough job to help produce a relatively balanced report that does at least go some way to address wider concerns.

RUSI follows reports from the Independent Reviewer of Terrorism Legislation, David Anderson, and the Intelligence and Security Committee, so makes reference to many of their ideas. The RUSI report does less well than Anderson Report in one very key regard: it does not set out the need for human rights courts to set the boundary between “bulk collection” and “mass surveillance”. It is hard to say that bulk collection should never take place (it might sometime be necessary and proportionate) but it will rarely happen in isolation. Combined with processing and profiling, it is hard to see GCHQ’s activities as anything other than mass surveillance.

The reason that all of the reports have strained to avoid calling out the government on mass surveillance comes in two parts. Firstly, the ISC, Anderson and RUSI are to different extents insider voices. Anderson has been the most independent and critical, but is playing the role of a reviewer, not a human rights court. He has maximised his ability to make constructive criticism, and advance sound ideas of reform, but stepped back from making the most serious challenges, leaving this question to higher powers, in the form of the courts. The ISC published a report which mixes justifications with good ideas for change, but is less critical than Anderson. RUSI falls somewhere between the two.

The important thing to note is that consensus is emerging on many areas, especially around the need for much stronger oversight and clearer laws. All the reports focused on the need to rewrite RIPA, as essentially incomprehensible. Anderson and RUSI talk about merging the fractured Commissioners to ensure that their role is strengthened. All three want better means for individuals to seek redress through the Investigatory Powers Tribunal and to appeal if it rules against them.

Anderson opened up the call for judicial warrants for interception, and RUSI has come some way to accepting this idea. Both RUSI and Anderson back the idea of international treaties to govern data requests (called Mutual Legal Assistance Treaties, or MLATs) as a key mechanism for gaining access to material needed in investigations.

RUSI is silent on the question of new powers of bulk collection and analysis that we are expecting to be proposed for the police in the proposed Investigatory Powers Bill this Autumn. RUSI focuses on technical oversight and improving national police strategy and training.

Theresa May however has indicated she wants the powers she was denied when the Snoopers’ Charter, or Communications Data Bill was dropped. The ISC stopped short of demanding these powers in their report, and Anderson said that any such capabilities needed to be preceded by a clear operational case, which he had not seen. However, after the recent atrocities in Tunisia, the Home Office will likely sense an opportunity to push Labour towards a consensus for new powers, even if they are entirely unrelated and unlikely to help. Labour should simply apply the tests that Anderson has placed in front of them: what problem are the capabilities actually supposed to be dealing with and at what cost?

RUSI’s report no longer has the political clout stemming from its original association with Nick Clegg as Deputy Prime Minister. The benchmark for reform is the Anderson report, as it was commissioned through Parliament, and Labour claim it as their concession for backing the emergency DRIP bill. If we expect the government to seek cross party consensus, then we should be looking to Anderson to persuade Labour and independent-minded Conservatives of the kinds of change they should be looking for.

[Read more]

July 10, 2015 | Jim Killock

Caspar Bowden

We’d like to express our sorrow at Caspar Bowden’s passing, and to note some of his very remarkable achievements over the last few years. Caspar has been an active member of our Advisory Council since joining it in October 2013 and helped us greatly with our views on surveillance policy, security and European data protection.

Among his contributions to ORG were a series of lectures he gave prior to the PRISM revelations, where he pointed out the gaping holes in US legislation that could allow bulk collection and access to US corporations’ data vaults. At the time, he was pretty much the only person in Europe making these points, cogently and loudly.

Caspar also condemned the holes in European data protection legislation that made US political surveillance impossible to resist. He was consistent in showing the flaws in data transfer rules that would make Europeans’ data rights increasingly impossible to protect. On all these points, Caspar has been setting the agenda, and pushing harder than the Commission or US governments would like. Doing that puts you in a lonely place, and often does not win you friends, but his analysis and assessment of the importance of these points has been shown by events to be correct.

Caspar helped ORG with our work on the Snoopers’ Charter, which is the bastard child of data retention, itself one of his career long fights. He wrote in his chapter on data preservation for our report, explaining how data retention was being combined with collection and analysis:

The Home Office has the Olympic chutzpah to call the apparatus for data-mining all this information a “Filter”, and to justify it in the name of human rights. It says that by connecting up a virtual database (to hunt for arbitrary patterns of suspicion in all the data), they won’t have to build a new central database. But the point is the untrammelled power to hunt through every private life with the tools of military intelligence … It ought to be obvious that continuously recording the pattern of interactions of every online social relationship, and analyzing them with the “Filter”, is simply tyrannical.

Those kinds of observations are what made him an inspiration to campaigners and activists in the digital rights movement.

Caspar, you’ll be missed.


[Read more]

July 09, 2015 | Maxine Chng

DRIPA challenge in court today

The challenge to DRIPA brought by David Davis and Tom Watson was discussed in court today, as the government sought to refer key questions to the EU courts.

Last year, Tom Watson MP and David Davis MP representing Liberty, brought judicial review proceedings to challenge the Data Retention and Investigatory Powers Act (DRIPA). Earlier this year, ORG and PI were granted permission by court to intervene and made points about European law. Initially focusing on a question of compatibility with the European Convention on Human Rights (ECHR), the proceedings now concentrate on DRIPA's conformity with EU law, particularly Article 15 of the ePrivacy Directive.

Generally, the ePrivacy Directive provides for the individual right to confidentiality, erasure and anonymity of one's communication data. Article 15 sets out an exception, whereby Member States can restrict those rights when “necessary, appropriate and proportionate” to safeguard, among others: national security, defence and public security. ORG and PI highlighted in our interveners' submission that the Courts of Justice of the European Union (CJEU) in Digital Rights Ireland (DRI) had already set out the requirements that domestic law must follow in order to comply with Article 15.

Since then however, the government had requested for a reference from the CJEU to clarify how the DRI decision affects UK law. A hearing was held at the Royal Courts of Justice on Thursday morning to determine if the request for reference should indeed be granted.

The government claimed that the CJEU's decision in DRI was in relation to a different legal context, as it was made in reference to the Charter of Fundamental Rights of the EU. On the other hand, the current case tests DRIPA's compatibility with the ECHR or ePrivacy Directive.

Liberty opposed the government's request for a reference, concerned that a reference from the CJEU would only delay the judicial review proceedings. They contend that the relevant principles of EU law are already clear and have been fully considered by the CJEU in DRI. The court agreed and rejected the reference request. A draft judgment is expected to be issued next week.

[Read more]

June 23, 2015 | Ed Johnson-Williams

Net Neutrality in Europe in danger

Net neutrality is under threat in Europe and we urgently need your help before 29th June!

Net neutrality is the principle that Internet Service Providers should treat all data on the Internet equally. It's about minimising the restrictions on which parts of the Internet you can access. And it's about allowing startups to compete with big Internet firms and supporting innovation in the digital economy.

Shortly before the European Parliament elections last May, MEPs voted with a large majority in favour of net neutrality. The vote was a major step towards protecting the open internet in Europe. But then the European Council - which is made up of the Member states of the European Union - hammered out their version of what net neutrality rules they wanted. And it turns out that their version of net neutrality is not worthy of that name.

The Council's text could allow Internet Service Providers to charge customers and companies extra for receiving and delivering different types of online services. Only those who pay more will have easy access to an audience online. It would also authorise blocking of lawful content. This is completely counter to net neutrality and contradicts the Parliament's position.

The Council and the Parliament have been negotiating the final text of the new net neutrality rules for the last few months. And we've seen the Parliament give in to the Council's demands time and again while the Council has given up almost nothing. The Parliament have even conceded on the definition of net neutrality. The phrase net neutrality isn't even in the most recent working text. The Council has successfully replaced it with a vague "open internet" which suggests there is a "non-open" Internet, which is worrying.

If the Council gets their way then net neutrality in Europe will be under extreme threat. The next negotiations are set for 29th June. Until now MEPs haven't heard a lot from European citizens about why they need to stand up for their previous position in support of net neutrality. They need to hear from us now so they know that this is something European citizens care about.

Can you email and tweet the MEPs who are negotiating on net neutrality? You can choose to contact an MEP from the UK using the 'Filter by country' menu.

EDRi (European Digital Rights) have been doing outstanding work tracking and campaigning on European net neutrality proposals. EDRi campaigns for digital rights in the EU and ORG is one of their members. Find out more about their excellent work on their website.

[Read more]

June 11, 2015 | Pam Cowburn

Anderson review: "It is time for a clean slate"

The UK's Independent Review of Terrorism Legislation has said, “it is time for a clean slate” when it comes to surveillance law in the UK. In his report published today, David Anderson QC condemned the current legislative framework as, “fragmented, obscure, under constant challenge and variable in the protections that it affords the innocent”.

Anderson was tasked with reviewing surveillance law as a requirement of the Data Retention and Investigatory Powers Act – one of the concessions gained by Labour and the Lib Dems in return for their support in rushing the Bill through Parliament last July.

Anderson, unsurprisingly, does not condemn mass surveillance in principle and endorses bulk collection by the security services, but the report does call for a radical overhaul of how surveillance is regulated.

Here are some of the key points:

Legal reform: Since the Snowden revelations began two years ago, Parliament has further legislated for surveillance through DRIPA, the Counter Terrorism and Security Act 2015 and amendments to the Computer Misuse Act that legitimise hacking by the security services. Anderson's damning verdict that the law, "is variable in the protections that it affords the innocent” can't be ignored. The report says: "A comprehensive and comprehensible new law should be drafted from scratch, replacing the multitude of current powers and providing for clear limits and safeguards on any intrusive power that it may be necessary for public authorities to use."

Warrants: Under the current system, warrants for surveillance are signed off by government ministers, who are not independent. Anderson's recommendations that warrants should be signed off by judicial commissioners is a welcome shift away from politicial authorisation but it would be preferable for warrants to go through the courts and be signed by serving judges to help make sure that surveillance is 'necessary and proportionate'.

Snoopers' Charter: Anderson says that extending capabilities through a new Snoopers' Charter should only happen if there is, “a detailed operational case needs to be made out, and a rigorous assessment conducted of the lawfulness, likely effectiveness, intrusiveness and cost of requiring such data to be retained”. So far the Government hasn't made such a case. In addition, it has made a report by Sir Nigel Sheinwald top secret. That report is believed to have suggested that a new international treaty could be a legal alternative to the Snoopers' Charter.  Despite this, the Home Secretary Theresa May today told the House of Commons that the re-drafted Snoopers' Charter would be laid before Parliament in the autumn - although it would be scrutinised by a Joint Commitee.  

It is unlikely that Anderson's review and the Intelligence and Security Committee's Privacy and Security report would have happened were it not for Edward Snowden's revelations. Two years on, there are still many battles to be fought but one thing is certain - the status quo cannot continue. MPs from all parties must act to ensure that the UK has surveillance powers fit for a democracy.  

You can sign our petiton against the Snoopers Charter here.

[Read more] (1 comments)