call +44 20 7096 1079


June 13, 2013 | Jim Killock

Website filtering problems are a “load of cock”

On Tuesday, I spoke at an event organised by the Sunday Times and Policy Exchange about online pornography and child protection. This was in the run-up to the opposition debate that took place in Parliament on Wednesday on these topics.

The motion laid down by Labour says:

That this House deplores the growth in child abuse images online; deeply regrets that up to one and a half million people have seen such images; notes with alarm the lack of resources available to the police to tackle this problem; further notes the correlation between viewing such images and further child abuse; notes with concern the Government's failure to implement the recommendations of the Bailey Review and the Independent Parliamentary Inquiry into Online Child Protection on ensuring children's safe access to the internet; and calls on the Government to set a timetable for the introduction of safe search as a default, effective age verification and splash page warnings and to bring forward legislative proposals to ensure these changes are speedily implemented.

The "1.5m" statistic has been debunked elsewhere, but the alarming point here is the deliberate conflation of child abuse images and legal material, potentially accessed by children. The motion slips from talking about child abuse images, to 'safe searches' to protect children from seeing adult material. Just as worrying is the adoption of a position in favour of default blocking by Labour. You can read a transcript of the debate on Hansard.

claire perry at policy exchange, Policy Exchange CC-BY

This is a symptom of a wider problem with this debate - a failure to properly distinguish between different categories of content, and the different methods of dealing with them.  That requires at least some understanding of the technology - the details matter.

A further problem is an unwillingness from some MPs to appreciate or even acknowledge the problems with technical solutions. In the debate on Tuesday, I tried to outline the problems with filtering, including the over and under-blocking of content.

Claire Perry helpfully described such problems as a "load of cock". Helpfully, because such a comment would be very likely to be caught by a filter and cause it to be blocked, while not, of course being pornographic. 

Claire also got applause for suggesting that blocked websites were simply collateral damage necessary to protect children. This is the kind of woolly thinking that thankfully got rejected by her government, which recognised that economic harm stems from blocking legitimate websites, for instance. After all, if you can protect children, and avoid blocking for adults, why not? Can some balance not be struck?

Unfortunately, in the eyes of many MPs, arguing for balance is betraying children. If any children can access more porn than we can technically prevent, then we have failed. Of course, filters don't always work and can be easily got round, but if our solution helps a bit, surely that is better than nothing?

These kinds of position, once you examine them, are pretty incoherent. Filters that don't work well will probably get switched off. Defaults that block too much may encourage people to remove the filters. Parents may assume their children are safe when filters are switched on. Software design is iterative not legislative; yet legislation is often favoured over industry engagement.

The child protection debate over the last two years has won Claire Perry many friends, who believe she has raised the profile of an issue and got results. Certainly, the fact that ISPs are building network level filters points to this, but I was intrigued by a question at the debate on Tuesday. Apparently children are installing Chrome, because it was suggested that helps them access porn sites and gets round filters.

We did try to tell Claire this kind of thing would happen, before she persuaded ISPs to spend millions of pounds on network filters. Even with filters, if parents leave children with admin privileges, they will be able to use their computers to trivially defeat any blocks. Some MPs in the debate in Parliament suggested only 'very clever' folk will be able to get round filtering. This isn't true – most children will find this easy.

Which leaves us with the harms on all sides, to websites, adults and children, without the supposed benefits.

Labour have essentially made the same mistake as Culture Secretary Maria Miller's letter to online companies, in which she invited Internet companies to a proposed 'summit':

Recent horrific events have again highlighted the widespread public concern over the proliferation of, and easy access to, harmful content on the internet. Whether these concerns focus on access to illegal pornographic content, the proliferation of extremist material which might incite racial or religious hatred, or the ongoing battle against online copyright theft, a common question emerges: what more can be done to prevent offensive online content potentially causing harm?

It is clear that dangerous, highly offensive, unlawful and illegal material is available through basic search functions and I believe that many popular search engines, websites and ISPs could do more to prevent the dissemination of such material.

The debate and letter confuse legal, illegal and potentially harmful content, all of which require very different tactics to deal with. Without a greater commitment to evidence and rational debate, poor policy outcomes will be the likely result. There's a pattern, much the same as the Digital Economy Act, or the Snooper's Charter.

Start with moral panic; dismiss evidence; legislate; and finally, watch the policy unravel, either delivering unintended harms, even to children in this case, or simply failing altogether.

ORG, Index on Censorship, English PEN and Big Brother Watch have written to the Culture Secretary Maria Miller demanding that civil society be present at her 'summit', to make sure these issues are addressed. We have yet to receive a reply.

[Read more] (4 comments)

June 12, 2013 | Ruth Coustick-Deal

PRISM, Free speech and creativity: Looking back on ORGCon2013

Thanks to all who came along to ORGCon2013! ORG have a summary of the major sessions, plus details on where you can find more on the sessions you missed.

Open Rights Group’s third national conference took place last weekend at the Institute of Engineering and Technology, with a fantastic set of speakers and hundreds of attendees.

Thank you to all who came along, we hope you had a great event!

Due to recent news there was a big buzz around digital rights issues, especially privacy and surveillance, at this year’s ORGCon. The day was was full of energetic debate on a diverse range of topics and was not without a fair share of controversy. With five sessions happening simultaneously, we only regret we couldn’t witness it all! There were some recurring themes and certain topics that sparked much debate. Clearly PRISM was the issue on everyone’s minds, but topics of free speech including its relationship to copyright, feminism, social media and the child’s right to know was also a big area of contention.

The day kicked off with Tim Wu’s keynote speech on The Digital Rights Movement. Wu described how new technologies and movements have a tendency towards centralisation, but that the Internet has the capability to break out of that pattern, especially due to its communication power to allow consumers and rights activists to develop alternatives and share lo-tech ideas. Nevertheless, he left delegates with the warning that ‘any device designed to liberate can be used to enslave.’

Caspar Bowden presenting on FISAA

Caspar Bowden, privacy expert, spoke to an attentive audience keen to hear his insights on FISAAA, Data Protection and PRISM or ‘How to wiretap the Cloud (without almost anybody noticing).’ Bowden began with a disclaimer that he had not known about PRISM, but deduced what was going on from open-sources. Bowden explained how UK citizens have no right to privacy under the 4th Amendment, a subject that was brought up again in John Perry Barlow’s closing speech. You can read the slides of Caspar’s presentation here and watch his talk here.

Creative Citizens panel

The Creative Citizens panel session was as lively as promised with Steve Lawson, Diane Duane and Simon Indelicate sharing their experiences of how the Internet is changing the creative industries and what is means to be an artist, taking the perspective that it isn’t so much winning at the Internet that is important , but the way in which that the Internet allows you to be a failure on such a large scale that it can begin to seem like a new kind of success. As musicians begin to pave their own way and take control of their own marketing, Lawson suggested there might be a market for digital story-tellers or documenters as the the outlook appears grim for artists who are yet to get their heads around Twitter.

This year’s ORGCon for the first time featured a series of ten minute rapid-fire talks and this session was one of the highlights of the day. The talks were a great opportunity for ORG supporters to address the conference and get their point across snappily. In her stand-out talk Milena Popova shared her experience of the tensions between feminism and the digital rights activism in her talk ‘When Worlds Collide’ calling for the digital rights community to “reach out beyond our bubble of geeks in black t-shirts and make this a welcoming community for everyone.” These sessions were a quick introduction to lots of new projects and threats - for instance Tanya O’Caroll’s talk on Panic Button, Amnesty International’s new app, got a lot of interest from developers looking to contribute to the project, and Richard King gave a useful overview of how to start-up an ORG group - take a look at his blog and get involved.

John Perry Barlow presenting at ORGCOn2013

In the closing keynote John Perry Barlow re-asserted the utopian possibilities of the Internet in his speech ‘The Freedom to Know’. Barlow, making a case for radical transparency, asserted that privacy is contextual, making the bold claim that the loss of privacy that the Internet brings may lead to a greater acceptance of our individual idiosyncrasies, face tattoos and all. He took a great range of questions and spoke on issues from the un-taxability of bitcoins to the Internet as a threat to monotheism, on collective ways to assure human rights and on American civil liberties campaigners attitude to the threat to world-wide privacy from FISAA.

If you missed out on the day, and want more of a round-up, there are lots of other ways you can go over the material. Watch Caspar Bowden’s talk on FISAA right now, follow the hashtag #orgcon, look at the photos on Flickr and keep an eye for the upcoming videos of the main sessions where you watch a lot of the event.

If you have written a blog or report on ORGCon we would love to share it and hear your thoughts, so please let us know. If you have any specific feedback on orgcon, please email - A questionnaire for all attendees will be out soon.


Read more blogs on ORGCon!

Milena Popova:

Ray Corrigan:

Andrew McStay:


[Read more]

June 12, 2013 | Peter Bradwell

Baroness Ludford amendment - opening the door to FISAAA?

Liberal Democrat MEP Baroness Ludford has proposed an amendment to the Data Protection Regulation that would mean your data could be transferred to the USA without you being informed.

Baroness Sarah Ludford MEP

Baroness Ludford, by ALDE, cc-by-nc-sa

The UK Liberal Democrat MEP Baroness Ludford has recently published an article in LibDem Voice accusing the Open Rights Group of "overreacting" to a letter she had written to the Financial Times.

In late March ORG wrote an article for the same Lib-Dem blog pointing out that in her letter to the Financial Times, the Baroness had failed to mention the interests of citizens. Instead Baroness Ludford highlighted the well-known concerns of some technology companies – roughly, that the new rules will stifle internet businesses.

But there is more to our concern than the contents of that letter. The Baroness proposed 113 amendments to the draft Regulation [Correction 12/6: the correct number is 129]. You can read all of them on Parltrack. (We'll be putting up an analysis of more of these shortly). These include proposals that we believe would severely undermine people's privacy rights and leave them with less control over their data. 

For instance, the Baroness is behind amendment number 1210.

This removes the right to know if your data might be transferred to a third country or international organisation.  It does this by deleting the following bit of the proposed Regulation:

Article 14 – paragraph 1 – point g
(g) where applicable, that the controller intends to transfer to a third country or international organisation and on the level of protection afforded by that third country or international organisation by reference to an adequacy decision by the Commission;

It hardly needs spelling out given the recent news about PRISM and state surveillance, but knowing which companies or countries your data might be moved to is likely to increasingly be a fundamental consideration for someone deciding whether to share personal data.

EDRi challenged Baroness Ludford on Twitter to withdraw this amendment in light of the PRISM revelations, yet she refuses to do so:

@EDRi_org: .@SarahLudfordMEP Will you withdraw your AM 1210 that removes obligations to inform if data will be transferred abroad? #prism #eudatap

@SarahLudfordMEP: @EDRi_org: prob is that it's not only 'transferred' data at risk of FISA orders. Glad @VivianeRedingEU pressing Holder, long overdue

@EDRi_org: .@SarahLudfordMEP You won't withdraw AM1210? You seriously want to create a right to export data without telling anyone? #eudatap #prism

This is one reason that we do not believe that ORG and Privacy International have been overreacting, as the Baroness suggested. The Baroness has proposed some of the most damaging amendments we have seen, potentially weakening the definition of consent, creating quite broad loopholes permitting the use of data without consent, and reducing the information people receive when data about them is collected. 

It was no real surprise to see that the Baroness was recently ranked sixth on the list of MEPs who had proposed the most damaging amendments following analysis reported on the website

In her article Baroness Ludford also cites the European consumer BEUC's position on consent in support of her position. In a response sent to members of the LIBE Committee, BEUC have been strongly critical, adding that it was 'to their dismay...that...(she) referred to our position on ‘consent’ in isolation and without referring to the points included in the BEUC position.” BEUC go on to say that other amendments proposed by the Baroness would “systematically reduce the level of protection that consumers in the UK and elsewhere enjoy”.

We will continue looking at her (many) other damaging amendments in a follow up post.

[Read more] (1 comments)

June 12, 2013 | Rachel Wemyss

Caspar Bowden - How to wiretap the Cloud (without almost anybody noticing)

Independent privacy advocate and ex-Microsoft employee Caspar Bowden gives the crucial legal context to PRISM and FISAAA. Bowden explains how the 4th Amendment does not apply to non-US citizens leaving the US government able to conduct mass surveillance of the cloud. This timely ORGCon2013 talk is essential viewing!

[Read more]

June 10, 2013 | Jim Killock

What William Hague and Theresa May need to tell us

While admiration for Edward Snowden's whistleblowing grows in the USA and abroad, in the UK we are listening to Sir Malcolm Rifkind and William Hague with increasing scepticism.

It seems obvious that our security services will have received information from these trawling and retention systems, and equally it would be a little surprising if they had broken international law. The government must answer these questions, especially to tell us what they knew, but Sir Malcolm Rifkind insisting that ministerial warrants would be required seems tiresome and a way of avoiding the real point.

The government cannot simply insist that US-based surveillance, wich is both secret and pervasive, is just a US problem. PRISM in particular seems to be targeted at non-US citizens, for very broad 'foreign policy' considerations. Additionally, the legal position in the US is that there are no constitutional protections for non-US citizens. Caspar Bowden outlined these points in detail (PDF) at ORGCon on Saturday.

Our UK government must have known about US FISAA powers, and most likely the kind of programmes that the new law was creating.

When Parliament thought about a similar problem in preparation for the UK census, they were alarmed and took action. The Patriot Act allows data to be 'seized' secretly under National Security Letters. Parliament asked that the US contractor, Lockheed Martin, be prevented from handling census data, to avoid the possibility that data might be seized and copied under the Patriot Act. Parliament won that battle.

What William Hague and Theresa May should have been doing was making sure that our businesses and citizens knew to shelter from FISAAA powers. They should have been attempting to strengthen our data protection arrangements, or ensuring through procurement that all personal data the government keeps is kept out of the USA, until more reasonable laws are in place.

Instead, their reaction seems to have been to push ahead with our own UK version, in the Snooper's Charter. Frightening and unaccountable US powers seem merely to have inspired in Theresa May the desire to replicate them here.

Laws are meant to guarantee reasonable behaviour. Once secrecy around their interpretation, implementation and use is complete, it should be no surprise that powers get out of control. A lot of this secrecy exists in the UK at present: we do not know which companies retain data, nor whose data is accessed. There is no individual notification; nor court supervision of access. During the Snooper's Charter debate, the Home Office was extraordinarily reluctant to discuss the problems they believed they had, citing national security instead. For FISAAA, the government did nothing to encourage sensible analysis of what this should mean for UK citizens', journalists' and businesses' confidentiality.

The ability of government institutions to turn a blind eye and ignore such serious problems, to the point that our trust in them is dealt a terrible blow, is a failure of leadership. Now our politicians must live up to their duty, and turn their attention to ways to protect British and European citizens from US-based warrantless surveillance.

UK politicians should demand:

  1. That US law recognises the human rights of foreign citizens, in particular their right to privacy
  2. That EU Data Protection requires EU standards of privacy from US companies; or warns when this cannot be guaranteed
  3. That UK and EU procurement be designed to protect personal data from warrantless US surveillance


[Read more]

June 07, 2013 | Jim Killock

Advisory Council nominations

Are you an expert in digital issues, civil liberties or campaigning? Or do you know who should be helping us form policy and campaign strategy?

Once a year, ORG recruits experts to our Advisory Council. This is the your chance to help us be the most expert and forward thinking digital civil liberties organisation in the UK. Send nominations to

This year we particularly want

  1. Privacy experts, in data protection, surveillance laws and digital privacy
  2. People with a legal background
  3. People with a strong background in copyright reform
  4. Campaigners
  5. People with experience in FOI, Subject Access Requests, media work
  6. Journalists and investigative journalists
  7. People with senior political contacts in the Labour, Lib Dem and Conservative parties

Please send us your nominations!

[Read more] (1 comments)

June 07, 2013 | Peter Bradwell

PRISM: The FISAAA smoking gun

We'll be posting analysis through the day about the revelations about PRISM and the NSA. Here's some background on the Foreign Intelligence Services Act.

UPDATED: see presentation by Caspar Bowden below.

The slides about secret data access under the 'PRISM' programme published today seem are somewhat of a smoking gun. Concerns about the implications of the Foreign Intelligence Services Act (FISAA), and in particular section 1881a, have been around for a while. For example, a report for the LIBE Committee of the European Parliament last year (co-authored by Caspar Bowden, who will be speaking about this at ORGCon tomorrow) said:

"So far, almost all the attention on such conflicts has been focussed on the US PATRIOT Act, but there has been virtually no discussion of the implications of the US Foreign Intelligence Surveillance Amendment Act of 2008. §1881a of FISAA for the first time created a power of mass-surveillance specifically targeted at the data of non-US persons located outside the US, which applies to Cloud computing. Although all of the constituent definitions had been defined in earlier statutes, the conjunction of all of these elements was new."

These revelations could have potentially devastating consequences for cloud computing. As noted in our previous blog, the UK government have some big questions to answer. 

This presentation (PDF) by Caspar Bowden contains very detailed explanations.

We also asked Professor of International Law Douwe Korff for his explanation of what's happening. Here's what he said:

 "US law makes non-US citizens living outside the USA completely fair game for unlimited surveillance by the US intelligence agencies, in particular under FISAA para. 1881a.  That paragraph effectively removes all restraints on the monitoring by US intelligence agencies of such non-US-citizens' e-communications, mobile phone communications, SKYPE conversations, social network exchanges, SMS texts or Internet browsing and video- and photograph- and file-sharing.

It is not even necessary that the surveillance is relevant to US national security issues.  Moreover, the US legislators and courts have consistently denied US constitutional protections to non-US citizens:  in all relevant respects in relation to surveillance by the US authorities, the Constitution simply does not apply to such non-US-citizens.  Protestations by US authorities that their legal system provides basically the same protection as is provided to EU citizens under European human rights and data protection law are quite simply untrue and deliberate attempts to hide the absence of any real protection of non-US-citizens from the US  global surveillance system. It is time civil society groups on both sides of the Atlantic join hands to fight against the new global Big Brother environment that is being created by supposedly democratic governments in both the USA and Europe."

Caspar Bowden has been expressing concerns about the FISAA provisions for some time. He'll be giving an hour long talk tomorrow at ORGCon on exactly this topic - it should be rather interesting! 

[Read more] (1 comments)

June 07, 2013 | Jim Killock

PRISM - Diffracting non-US Citizens' basic privacy since 2007?

It's being reported by the Guardian and Washington Post that the US National Security Agency can routinely access the sensitive data stored by big web firms including Facebook, Google, Skype, Microsoft, Yahoo, YouTube and Apple.

Top secret slides from the US National Security Agency say that email, video and voice chat, videos, photos, voice-over-IP chats (eg. Skype), file transfers, video conferencing, social networking details and 'Special Requests' are all collectable.

The web companies' response has been that if this has been happening, they were unaware of it and that they don't give government direct access to their servers. 

The Director of US National Intelligence, clearly talking with a US audience in mind, said that the law allowing this apparent collection of communications ensures that only "non-U.S. persons outside the U.S. are targeted."

Such a statement is intended to put American minds at rest. Where this leaves the rest of the world - including UK citizens, businesses, charities, MPs, campaigners and NGOs - is another matter.

In the light of this, the UK Government has very serious questions to answer.

  1. What did the UK Government know about the PRISM programme?
  2. Given the history of collaboration between the US and the UK, can they give us assurances that UK secret services have not been involved in the PRISM programme?
  3. Will the UK Government be seeking clarification from the US Government about whether the data of UK citizens is being monitored by the NSA?
  4. Has the UK received any intelligence based on queries made through the alleged PRISM programme?
  5. Would the Government advise that UK citizens, businesses and MPs stop using services provided by American web companies such as Google, Facebook and Microsoft?
  6. Can the UK Government give assurance that the commercial confidentiality of UK businesses has not been breached through the PRISM programme?

In addition, a Parliamentary investigation is required. Companies such as Google, Facebook, Microsoft and Yahoo need to answer to Parliament as to what data about UK citizens may have been included in the PRISM programme. The investigation should also ask questions of representatives of the UK Government and the intelligence agencies to bring transparency to clear up whether they had any involvement in the PRISM.

[Read more]

google plusdeliciousdiggfacebookgooglelinkedinstumbleupontwitteremail