February 09, 2016 | Ed Johnson-Williams

ISC comes down hard on Investigatory Powers Bill

The Intelligence and Security Committee (ISC) has released a damning report on the Home Office's draft Investigatory Powers Bill (IPB).

The ISC is a committee of MPs and Peers who scrutinise the intelligence and security agencies. It's traditionally avoided rocking the boat and ORG has often called for them to more vigorous in their oversight. This time, though, under the leadership of Dominic Grieve MP, the Government's former main legal advisor, they've picked apart large parts of this Bill.


The Committee calls for privacy protections to be strengthened in the Bill:

"Privacy protections should form the backbone of the draft legislation, around which the exceptional powers are then built. Whilst recent terrorist attacks have shown the importance of the work the Agencies do in protecting us, this cannot be used as an excuse to ignore such important underlying principles or unnecessarily override them. Privacy considerations must form an integral part of the legislation, not merely an add-on."

It is good to see privacy be such a strong focus of their report. The report calls for privacy to be an "integral part of the legislation" and calls for the inclusion of a new section "dedicated to overarching privacy protections".

They have nevertheless agreed with previous committees that bulk powers may be “necessary and proportionate”. Here, they could have called for more public evidence to show their impact. Even if you agree that bulk data is useful or even necessary, the absence of public information, excepting a few details of some possible Home Office case studies, is not enough to justify the powers or to allow a full Parliamentary discussion of these capabilities. It will certainly be interesting to see the extent to which the Home Office builds a response to this criticism into the re-drafted Bill.

Rush job

The Committee criticises the Home Office for being overly hasty in their preparation of the Bill: 

"It appears that the draft Bill has perhaps suffered from a lack of sufficient time and preparation and it is important that this lesson is learned prior to introduction of the new legislation."

We agree with the ISC. This Bill cannot be rushed through Parliament. It is a huge piece of legislation that needs to be drafted carefully and thoroughly scrutinised.


On the subject of Bulk Equipment Interference (read: bulk hacking), the ISC complained that they haven't seen convincing evidence for the need for Bulk Equipment Interference (EI) warrants:

"The Committee has not been provided with sufficiently compelling evidence as to why the Agencies require Bulk Equipment Interference warrants, given how broadly Targeted Equipment Interference warrants can be drawn. The Committee therefore recommends that Bulk Equipment Interference warrants are removed from the new legislation."

At first reading this is positive but the reason the report gives is that Targeted Equipment Interference warrants can be broad enough to cover anything the Agencies might have wanted to use a Bulk EI warrant for. A better recommendation might have been to restrict Targeted Equipment Interference warrants to more limited targets.

Bulk personal datasets

The ISC is particularly critical of the draft IPB's provision for agencies to acquire large numbers of Bulk Personal Datasets (BPDs) - large datasets containing personal information about a wide range of people. They said:

"BPDs contain personal information about a large number of individuals, the majority of whom will not be of any interest to the Agencies. Given the volume of the material concerned, and the number of individuals covered, the Committee does not feel that such practical considerations are sufficient to override privacy concerns.

The Committee considers that the acquisition, retention and examination of any Bulk Personal Dataset is sufficiently intrusive that it should require a specific warrant. We therefore recommend that Class Bulk Personal Dataset warrants are removed from the new legislation."

The use of BPDs was exposed by the ISC's previous report into surveillance powers. It is just one of the areas of the Bill where the law is being drafted to allow practices that are already taking place. We agree with the ISC's calls to remove class warrants that would allow the agencies to acquire multiple BPDs.

What happens now?

When you've got a committee of MPs and Peers that's traditionally supportive of surveillance and headed up by the Government's former legal advisor telling you that your Bill doesn't provide enough privacy protections, you know you've got work to do. 

Parliament's Science and Technology Committee has already said the Bill could put the UK tech sector at risk. The Joint Committee of MPs and Peers tasked with scrutinising the whole Bill will publish its report on Thursday. Their report is rumoured to be 400 pages long.

While we'll wait to see what the Joint Committee has to say, it's already clear that the Home Office will have to properly re-draft this Bill to include privacy protections. There have been suggestions that the Home Office is planning to publish a new version of the Bill by the end of February. They should take a lot longer than two weeks. Theresa May must ensure that the ISC’s very serious and well thought-out demands are dealt with in full.

[Read more]

February 01, 2016 | Javier Ruiz

Science and Technology Committee of Parliament slams Snoopers' Charter

The Science and Technology Committee of Parliament publishes scathing report claiming that uncertainty over the Snooper's Charter will harm the UK tech industry.

The Science and Technology Committee of Parliament has delivered a major blow to the Draft Investigatory Powers Bill (IPB) in its scrutiny report. The IPB will put into law the powers and capabilities revealed by Edward Snowden, and includes the latest incarnation of the Snoopers' Charter. The Committee's overall message to the Home Office is that uncertainty over costs and obligations in the Bill will harm UK companies and make Britain a less attractive place for foreign technology businesses.

The report says: 

“The evidence we have received suggests there are still many unanswered questions about how this legislation will work in the fast moving world of technological innovation. There are good grounds to believe that without further refinement, there could be many unintended consequences for commerce arising from the current lack of clarity of the terms and scope of the legislation. It is essential that the integrity and security of legitimate online transactions is maintained if we are to trust in, and benefit from, the opportunities of an increasingly digital economy.”

The Committee only looked at the technical aspects, not considering whether measures are justified by threats or what the privacy implications may be. After taking evidence from dozens of expert witnesses – including ORG – they found the Bill lacking on several aspects.

Parliamentarians found that Internet Connection Records are not properly defined, and neither are other central concepts in the legislation such as: “relevant communications data”, “communications content”, “equipment interference”, “technical feasibility” and “reasonably practicable”.

The Committee recommends that Government should be more explicit on the exact obligations the Bill will place on technology companies in order to to allay concerns about impact on businesses and competitiveness. Codes of practice need to be published with the Bill and be clear on compliance burdens, proportionality and cost recovery. These should be regularly updated.

The reports says that Government must urgently work with industry to improve estimates of all associated costs, which will likely include security and other areas besides simple storage, and assure companies that they will be fully reimbursed:

“The Government should reconsider its reluctance for including in the Bill an explicit commitment that Government will pay the full costs incurred by compliance.”


Encryption is another area singled out for criticism. The Committee asks Government to clarify the obligations to provide clear unencrypted data, when encryption would have to be removed and what happens with end to end encryption.

MPs and peers have picked up on a seemly narrow but important point. The Bill says that such technical measures must be put in place if it is “technically feasible”, but other measures in the Bill are only compulsory when it is “reasonably practicable” to do so. The Committee asks for this higher bar to be applied to the other cases as well. This example shows the importance of such small print, which is peppered throughout the Bill.

Unfortunately the Committee missed a beat on encryption. Reasonably, the report queries whether companies should be forced to remove protections applied by third parties, such as other companies or end users themselves. The main battleground though, is whether companies should be able to apply encryption that they themselves are not able to break if done properly.


Equipment interference – hacking in common parlance – is also deemed problematic. The report relays widespread concerns from businesses about the obligations to assist authorities in their hacking activities, particularly from open source companies.

The report believes that there is a well-founded concern that that the perception that UK businesses are in cahoots with the spies will put British companies at a disadvantage. This means that more transparency over the extent of powers may be required.

The Committee pleads with the Home Office to continue to engage with “communications businesses and the wider internet community” to allay concerns and confusions. They also make an important point. It is not only internet businesses, but also their users who “require assurances that investigatory powers will be imposed proportionately, and that the judgement as to what is proportionate should at all times be open to reasonable challenge.“

Despite its narrow focus, the report shows the huge amount of work that needs to be carried out by the Home Office before the Bill is fit to be presented to Parliament.

[Read more]

January 28, 2016 | Javier Ruiz

Data Privacy Day: the new EU Data Protection Regulation explained

The European General Data Protection Regulation (GDPR) is due to come into force in April 2016, in the biggest reform of privacy laws in Europe for two decades. This is the first blog in a series where we will look at how the new law will affect us.

The new Data Protection Regulation has taken four years to go through Brussels, in a convoluted process that has seen the original proposal from the European Commission utterly transformed through unprecedented levels of lobbying by companies and governments. The US was particularly aggressive, but in the end EU member states such as Germany managed to do a lot of damage with their demands for carve outs and exceptions.

EU flags

Photo credit: Thijs ter Haar - CC-BY2.0

The final version of the regulation is a mixed bag of results from a civil society perspective. The reform of data protection aimed to both modernise and harmonise the legal framework across the EU, while maintaining existing levels of protection. The original proposals aimed to put citizens at the centre, giving people control over their information and improving enforcement against abuses, but these ideas have been watered down substantially. Yet we must celebrate the fact that the regulation was passed at all, given how close the process came to collapsing on various occasions.

The regulation has not managed to completely please businesses either. At a recent stakeholder roundtable organised by the Information Commissioner Office (ICO), we heard repeated concerns about the new requirements and the need for guidance. The message from the Commissioner was “don’t panic but expect fundamental changes to how data protection works”.

In the coming months ORG and other civil society groups will work to ensure that those changes take place and the new regulation takes basic data protections into this century. In this first blog, published on Data Privacy Day, we outline some of the main changes in the regulation, as well as some of the missed opportunities. The GDPR is huge and we will look at other areas in a series of blogs in the coming weeks.

Consent and “legitimate interests” to process your data

The new law brings in a stronger provision for consent to the processing of data. Until now companies could rely on "implicit consent" where if you used their services it was assumed that you were happy for your data to be collected unless you ticked an “opt-out” box.

The GDPR is better as it requires you - the data subject - to positively agree by “a statement or a clear affirmative action.” Consent now must be “freely given, specific, informed, and unambiguous,” which sounds good but belies some complex nuances that armies of lobbyists and lawyers have fought over during the past few years. The original proposals included “explicit” consent, a higher bar, but this has now only been kept in relation to sensitive data such as race, biometrics, political or sexual orientation; much as it is now.

The regulation is an improvement in other areas, making it easier to withdraw consent and clarifying that freely given consent cannot be given when people are unable to refuse without suffering a “detriment”, or where there is an imbalance of power. Importantly, an organisation cannot make a service conditional upon consent to give away data, unless the data is necessary for the service. These aspects should have important implications for many online services and apps.

The new law also brings changes to consent from minors under 16, with concerns for example that teenagers may be required to obtain parental permission to access confidential information. This is a complex issue and we plan to cover it separately.

Most people believe that consent is the one and only basis for handling your data, but this not the case. Companies may need to do this in order to fulfil contractual or legal obligations, or in an emergency, and this is fine in most cases.

Unfortunately, the law also allows some fuzzy “legitimate interests” of an organisation to justify the processing of personal data overriding the privacy of individuals, appearing to contradict the very idea of data protection. This was originally designed as a narrow exceptional case but has become the main justification for the oceans of personal data kept by businesses large and small.

There are some limits to what companies can do, though. The purposes for which the information is used must be clearly defined, and there should be a balancing exercise that ensures there is not an excessive intrusion on individuals’ expectations, rights and freedoms. Unfortunately these are not enough to fully protect individuals and more restrictions are required.

One big problem is that the law sees the “legitimate interests” of third parties as a good enough reason for processing our data. As EDRI put it: “If a company you have never heard of can process your data for reasons you’ve never heard of, what is the point in having data protection legislation?”

The new regulation is a missed opportunity to fix these loopholes by severely restricting legitimate interests, although it brings some minor safeguards.

Transparency and access to your data

The GDPR also brings some improvements to the transparency requirements over what data is collected and how it is processed. Privacy notices should become “concise, transparent, intelligible and easily accessible form, using clear and plain language”. You should now be told a lot more about how your data is processed, including “meaningful information about the logic involved” in automated decision making. This information should be provided when data is obtained.

The regulation also provides for information to be given using “standardised icons” that should be machine-readable. Automated data processes based on computers reading preferences matching expressed privacy settings are possible but may be limited by requirements for explicit consent, and should not be permitted in cases involving sensitive data.

We remain concerned over clauses allowing companies not to comply with all the transparency requirements if giving detailed information would involved a “disproportionate effort” or in cases where disclosure is legally mandated, and expect that the Information Commissioner will be taking a robust approach to any such claims.

Companies are concerned instead that these requirements will mean drowning their customers in privacy notices and losing the ability to “layer” information from simple notices to full complex documents. We do not see why this should be the case, and clear guidance and enforcement lines should come out as early as possible to avoid the ridiculous situation of the ineffective cookie notices.

The regulation brings several changes to your right to request a company gives you the data they have on you. A small but critical change is that now such requests will be free in the first instance, with fees reserved for repeated cases or disproportionate requests. This will likely trigger a large amount of requests in the first months or even years, and we expect semi-automated services to flourish. We also expect that companies will making their life easier by automating such processes.

The information to be provided should not simply be a dump of your data as is often the case but an explanation of how data is used, similar to transparency requirements elsewhere. Overall, the regulation should make companies think their data processes very carefully, as they will be required to explain them at various points, including in new accountability requirements that we will discuss in a separate blog.

In addition to the right of accessing information there is a right to “data portability” designed to allow people to switch services and enhance competition and consumer rights. The right does not cover all types of information though, being restricted to data you provide through consent or in the course of a contract, and then only data processed automatically.

The data should be in machine-readable format and if possible provided directly to another organisation. This new right in combination with a new right to erasure, which we will discuss in our next blog, could mean some seismic changes to how data is treated.

What’s next

In the coming weeks we will look at other areas affecting individual rights - such as pseudonymous data, profiling, breach notifications - and also at the implications for organisations. Businesses and also NGOs will have to consider requirements for data protection officers, international data transfers and accountability measures, including data protection by design. There are also huge changes to data protection authorities, with the establishment of a EU data protection board, and a one stop shop principle for international adjudication.

Enforcement is another area with big changes and much larger fines, although not as extensive as we initially hoped. The recitals do include the possibility for public interest groups such as ORG to lodge complaints to authorities and courts on behalf of individuals, including for compensation.

The right for organisations to launch independent complaints has been left at the discretion of national governments, so we will need your help to get the UK to take a progressive stance on this matter which could transform privacy activism as we’ve known it.

From the above the picture seems pretty rosy, but unfortunately the regulation presents many holes that could mean that in practice not a lot changes. The potential is there but civil society, progressive politicians and data protection authorities must work hard in the coming years to ensure the GDPR delivers as close as possible on its original objectives for modernising the law and empowering individuals.

[Read more] (1 comments)

January 28, 2016 | Jason Kitcat

E-voting won't solve the problem of voter apathy

As the old English proverb has it “the road to hell is paved with good intentions.” Such thoughts spring to mind with the launch of the report Secure Voting by campaigning group WebRoots Democracy. WebRoots are volunteers who ‘campaign for the introduction of online voting in Local and General Elections’. We know where they stand on this issue, but how informed is their argument that online voting can be secure?

Not very informed at all if we are to take their latest report  as evidence. The report is essentially an uncritical collage of marketing materials and thoughts from the world of commercial e-voting suppliers. Many of those suppliers are known to ORG as purveyors of systems which we observed going wrong during previous trials in the UK, including Scytl, Everyone Counts and Electoral Reform Services. Problems we observed in those trials included voters unable to cast their votes, Windows having to be re-installed before results could be extracted and errors messages in Spanish as votes were recorded for the wrong candidate.

I don’t disagree with WebRoots Democracy’s desire to boost participation and don’t dispute that low voter turnout challenges the legitimacy of our democratic processes. However the remedy proposed will do little, if anything, to cure the patient. Prime Minister David Cameron understands this and is quoted saying as much:

“Online voting? I mean I don’t have any objection to it, but I think in a way we’re asking the wrong question. The reason people don’t vote is not because it’s too complicated to go down to the polling station; the reason that people don’t vote is because they don’t believe it makes enough of a difference.”

Which is exactly what social scientists and experienced canvassers say too. In short, it is very rare that the logistical difficulty of casting a vote is the reason why someone doesn’t vote. More often the reasons are because a voter feels all parties are the same, their vote doesn’t make a difference, they don’t believe in politics, they live in a safe seat or they don’t feel well enough informed to participate. A technological voting solution won’t solve any of those issues, instead they require the hard work of education and engagement. Which is why, overall, global trials of e-voting have had little or no positive impact on participation rates.

Voting is a uniquely hard problem for computers. Unlike commercial transactions, votes have to be completely secret, anonymous, secure and verifiable. When you shop online it’s not anonymous, banks and shops know who you are and use that to verify your identity. If there’s a problem you can check your statement and ask for a refund. You can’t refund votes and you can’t have a clear voting ‘statement’ to check as that would enable vote-selling and coercion. Which is why a secret ballot is a fundamental right in the UK Human Rights Act, the European Convention on Human Rights and the UN Declaration of Human Rights.

It is computer scientists around the world who have been leading the campaigns against the introduction of electronic voting. These people aren’t luddites, their whole careers depend on the progress of technology. But they understand that a binding political election’s unique properties make them ill-suited to the best computing can offer us today. Thankfully many senior decision-makers are coming to the same view too, which is why after trials countries including Ireland, Italy, France, Germany, Finland and Norway have all withdrawn from the use of e-voting.

I was part of an independent team which studied Estonia’s online voting system and found serious flaws. Our findings, published in a peer-reviewed academic journal, showed that state level attackers could undetectably change the outcome of the elections using Estonia’s online system. And this was despite the Estonian system being the best online system we’d seen in live use, and despite the advantage of every Estonian citizen holding a smart ID card.

The risks of undetectable fraud or error are very significant, the costs of implementing these systems are huge and the benefits marginal at best. So why risk it? At a time when all public services are crying out for investment to go digital there is no compelling case for spending scant resources on e-voting. A report compiling pitches from e-voting suppliers is not going to change the reality that the risks of e-voting are too great for any sound democracy to consider.

[Read more]

January 19, 2016 | Pam Cowburn

Thanks to our supporters, we can make our mass surveillance film

Thanks to our supporters, we more than reached the target of our Indiegogo crowd-funder. With your help we raised £20,624, which we're going to use to produce a high-quality campaign video to explain the implications of the Investigatory Powers Bill to people who may not be fully aware of it.

We've already met with the team of film-makers who will be working on this and they are going to present some ideas this week. They are the same guys behind the brilliant Department of Dirty film and we're sure they are going to come up with something equally good for this campaign.

One of the problems that we face is that the arguments for surveillance are very emotive and use the fear of terrorism, paedophilia and other crimes to persuade people that they need to give up their privacy and Internet security. But we know that many people are uncomfortable with the levels of surveillance being proposed and we hope that this film will show them why they are right to feel uneasy. We want it to resonate with the wider public and raise awareness of why our privacy is under threat.

At the minute, the draft Bill is being scrutinised by a Joint Committee who are due to report back in February. The Bill will then be redrafted and we expect it to be laid before Parliament around April. We want to launch our film before then to increase awareness and start motivating people into taking action and talking to their MP.

Thanks again to everyone whose donation is making this possible. It is still possible to contribute to the campaign here. We'll use any additional money to promote the film more widely.

[Read more]

January 19, 2016 | Jim Killock

Does the government want to break encryption or not?

The government has responded to a petition asking for clarity about their intentions to control or limit encryption. Unfortunately, it is still far from clear what they are hoping to do.

The government opens up by stating:

This Government recognises the importance of encryption, which helps keep people's personal data and intellectual property safe from theft by cyber means. It is fundamental to our everyday use of the internet.… As Baroness Shields made clear in the House of Lords on 27 October 2015, the Government does not require the provision of a back-door key or support arbitrarily weakening the security of internet services.

However it then goes onto state that

Clearly as technology evolves at an ever increasing rate, it is only right that we make sure we keep up, to keep our citizens safe. There shouldn’t be a guaranteed safe space for terrorists, criminals and paedophiles to operate beyond the reach of law.

The Government is clear we need to find a way to work with industry as technology develops to ensure that, with clear oversight and a robust legal framework, the police and intelligence agencies can, subject to a warrant which can only be issued using a strict authorisation process where it is necessary and proportionate, access the content of communications of terrorists and criminals in order to resolve police investigations and prevent criminal acts.

That appears to imply that any encryption should be removeable. This stands in direct contradiction to the paragraphs above. Either encryption can only be removed by the intended sender and recipient, or it is broken and unsafe.

The government concludes that:

There are already requirements in law for Communication Service Providers in certain circumstances to remove encryption that they have themselves applied from intercepted communications. This is subject to authorisation by the Secretary of State who must consider the interception of communications to be necessary and proportionate. The Investigatory Powers Bill will not ban or further limit encryption.

Perhaps this is the nearest thing we have to clarity. The government perhaps thinks that companies, where they control the technology, should be able to get to the information. Perhaps the government is assuming that companies might re-engineer their products, so any encryption is only for data in transit. End to end encryption, where companies are not key holders, is the kind of set up that the government might seek to limit, without attempting to break the fundamental mathematics or encryption technologies. 

As TechCrunch observes, however, this kind of threat of companies enabling internal backdoors is already displacing the technology used by ISIS to set ups that are not under the control of central platforms. So such an approach could end up with privacy for the criminals, but not for ordinary, law abiding ctiizens.

[Read more] (1 comments)

December 22, 2015 | Pam Cowburn

How the Investigatory Powers Bill will affect Internet Service Providers

The draft Investigatory Powers Bill (IPB) has serious implications for Internet Service Providers (ISPs), who could be both obliged to assist the state in surveillance and also adversely affected by other provisions in the Bill, such as new hacking powers.

Earlier this month, President of BT Security, Mark Hughes, Director of Policy at Sky, Adam Kinsley, Director of Operations at Virgin Media, Hugh Woolford, Chair of the Internet Services Providers' Association (ISPA), James Blessing and Managing Director of AAISP, Adrian Kennard all gave evidence to the Joint Committee scrutinising the IPB.Here are some of the issues that they raised:

Internet Connection Records are ill-defined
The Investigatory Powers Bill would force ISPs to create and retain even more data about their customers.

ISPs are already obliged to keep certain types of communications data for 12 months under the Data Retention and Investigatory Powers Act (DRIPA). Under the IPB, the data retained would be extended to include “Internet Connection Records”. These are described in the Bill’s explanatory notes as, “a record of the internet services a specific device has connected to, such as a website or instant messaging application”.2 However, the definitions within the Bill itself are much broader and open to interpretation. When asked to rate the clarity of definitions contained in the Bill, on a scale of one to ten, Adam Kinsley of Sky said that the definition of ICRs was, “pretty close to zero” and stressed that further clarification would be needed through codes of practice. James Blessing told the committee that the Bill doesn't spell out, “what information is required to be captured, what format it is to be stored in and how it is to be made available”.

This lack of definition means that it is very difficult for ISPs to know what systems they need to put in place to capture and store the required data. Virgin Media’s Hugh Woolford believes that: “this Bill could potentially look at us, all of us, having to almost mirror our entire network's traffic to enable us to then filter it”.

ICRs need to be created not retained
The explanatory notes to the Bill claim that an ICR is “captured by the company providing access to the Internet”3 but this is not the case. Woolford told the Joint Committee: “This is something that is completely new … from a business point of view, there's no need for us to capture any of this information.” This point was reiterated by Blessing who said: “Internet Connection Records don't exist, they are not a thing, they are not generated in normal business.”

ISPs could be prevented from talking about ICRs
The terms of the Bill means that ISPs would be prevented from discussing orders they receive the Home Secretary. Blessing argued that Internet companies differ from other types of industry because even competitors rely on each other. How each ISP collects ICRs would vary from network to network. If they understood exactly what was expected, they could then discuss the best ways to collect them in an open forum. Preventing them from doing so will affect how effectively they can deliver their services.

The filter carries privacy and security risks
The police and other government departments would use a “filter” that would analyse data to identify what may be of interest. This has been presented as a privacy-enhancing measure that would reduce the amount of data accessed. In practice, it will mean that data mining takes place prior to authorisation and some ISPs appear uncomfortable with this. Virgin Media's Woolford told the Joint Committee: “what we don't want to do is become data analysers of information”.

ICRs fall under the existing, usually internal, authorisations for communications data, which means there is not the supposed “double lock” of judicial authorisation that has been proposed for other surveillance warrants. Adrian Kennard, pointed out to the Joint Committee that allowing third party access to this data increases the risk of it being compromised.

The budget doesn’t add up
As companies don't already create or retain this data, they will need to invest in new systems. BT's Mark Hughes broke down the costs for ICR retention as capital investment, growth in bandwidth and maintenance and storage. Keeping ICRs secure would be a significant part of these costs.

The Home Office has allocated £174.2 million over ten years to cover these costs. However, Hughes, told the Joint Committee that this would effectively cover BT's costs alone. Woolford also indicated that Virgin Media’s expected costs would be tens of millions of pounds. While an obvious concern for companies and their shareholders, customers could see price rises if costs are not fully met by the Home Office’s budget.

Kennard pointed out that the fact that the Home Office have come up with these costs means that that they must have an idea of what exactly it is they want ISPs to generate – so costs should theoretically help with clarification about what ISPs are expected to provide.

Undermining security undermines trust
If ISPs are forced to break encryption in order to respond to Home Office requests for data, there are serious implications for consumer trust. Kennard told the Joint Committee: “if providers are required, even secretly, to remove that protection, then obviously that removes all trust in those providers, if they are offering secure communications services but at any time they could be subject to an order that makes it not secure.” According to Kennard, this could cause companies to avoid being based in the UK and customers to avoid UK companies.

ISPs could be targets themselves
The IPB gives the police hacking powers and the security services bulk hacking powers that would allow them to hack individuals or networks in order to reach targets. As we saw with the GCHQ’s hacking of Belgacom, hacking can have major financial and reputational consequences for affected companies. Woolford, Kinsleigh and Hughes were reluctant to answer the Joint Committee’s questions about bulk hacking powers. However, Hughes did admit that BT was “not OK with anything that undermines the integrity of our network.”

ISPs could be given permission to intercept data
The IPB would also give ISPs permission to intercept communications data for the purpose of filtering content (s33). We believe that could be used, for example, to allow companies to intercept all traffic so they can identify malware or see if it should be blocked by their family friendly filters. It could be used to permit a much wider range of detection and blocking of legal or illegal content, including through ISP terms and conditions. This opens the door for new private enforcement measures beyond the apaprent intention of section 33.

The Government needs to present an operational case
No one would argue that ISPs shouldn't help the police and security services when it comes to tackling serious crime and terrorism. But when we are asking companies to compromise their customers' privacy and security, it should because there is suspicion that a crime has taken place or that serious harm can be prevented.

Many European countries are ending the retention of communications data without any noticeable effect on their ability to prevent and solve crime. No other EU or Commonwealth country forces their ISPs to record Internet histories. Operational cases need to be subject to scrutiny, as they have been in the USA. There, close examination of these cases has resulted in a scaling back of bulk programmes, as the results have been shown to be poor.4 If UK ISPs are to be forced into collecting personal data on an unprecedented scale, the Government needs to present an evidence-based operational case.


(2) pp25

(3) ibid


[Read more] (1 comments)

December 18, 2015 | Ruth Coustick-Deal

Ten Triumphs of 2015

Let's take a moment to look back on 2015, and some of our top moments during this year.


  1. We saw off a sneaky attempt to introduce Snoopers’ Charter into law. Four members of the House of Lords tried to insert the text of the Snoopers’ Charter into the Counter Terrorism and Security Bill, just when that Bill was at its final stages. With only a few days notice, ORG responded, galvanising supporters to call Lords and explain why this was unacceptable. The Lords saw sense and the amendments were dropped.

  2. ORG’s legal intervention was key to the successful challenge of the Data Retention and Investigatory Powers Act. Our exertise and fantastic legal support meant that parts of DRIPA were found to unlawful by the High Court. The successful judicial review was brought by Liberty, represented by David Davis MP and Tom Watson MP, with ORG and PI acting as intervenors.

  3. Our Scotland office was launched and in its first months challenged a scheme that could have introduced an identity card system.

    These plans could have been sneaked in through a minor public consultation but thanks to our strong press work and lobbying, we made the Scottish parliament and the public aware of what was happening. Along with ORG, over 200 supporters submitted their views to the consultation in February and the plans appear to be on hold. We also held an ‘ORG Scotland Day’ with author Charles Stross on 10th May to ask members in Scotland to contribute to shaping the future of the organisation.

  4. The Government finally published a comprehensive new surveillance law - the Investigatory Powers Bill. This is something we’ve been calling for since the Snowden revelations. There are many things wrong with the Bill but its publication is an acknowledgement that the Government needs to be more transparent about surveillance - and this will make it much easier for us to challenge what is in it. 

  5. We taught practical digital skills to groups from jounalists and NGOs to school children and teachers.

    A lot of our work this year was educational: we created a security and threat modeling training programme for journalists, activists. We ran a series of interactive workshops at Being Watched, an all day conference for young women, aimed at helping them to regain control in the online world. We collaborated with Chris Pounder to provide data protection training for NGO staff, who are now better equipped to campaign and protect their supporters from misuse of personal data. Plus, our local groups ran a series of ‘cryptoparties’ teaching people about online privacy and security at an introductory level, with events taking place in Cardiff, Sheffield & Brighton, Bristol and Edinburgh through March & April

  6. Working jointly with Wikipedia we forced MEPs to drop their attack on 'freedom of panorama'

    This is an important copyright exception that means we are free to photograph or paint a work of art that's in a public place - like a scultpure or a building. During the process of creating new copyright law in the EU, some MEPs proposed removing this ability across Europe. We helped supporters tell their MEPs to vote the idea down - and the proposal was swiftly taken out of the vote altogether!

  7. ‘Collect it all: GCHQ and Mass Surveillance’, the first full report into the substance of the Snowden revelations was written and published by ORG. The substantial review is a thorough guide to the slides and documents Snowden leaked, and has been published as an ebook.

  8. We challenged candidates to take a positive stance for digital rights in the 2015 election. We organised hustings in Bristol, Brighton and Manchester to give voters the opportunity to ask questions on surveillance to their Parliamentary candidates. We ran training sessions with members based in London, Manchester and Sheffield on talking to candidates, writing to local press and organising campaign events. Our briefing pack with key questions and myths about surveillance helped supporters speak out on these issues. On top of which, we built a tool which reported on candidate's stances on surveillance.

  9. The bad bits of the Investigatory Powers Bill are being thoroughly challenged in our on-going campaign. In just a few weeks since the release of the Bill, we’ve given evidence in Parliament, submitted long form evidence, made a lot of press appearances, and helped supporters write to their MP about the new law.

  10. As the year drew to a close, we celebrated ten years of Open Rights Group! With 100s of campaign actions, and 1,000s of supporters, ORG has stood up for your rights for over a decade!

So what's the plan for 2016?

In the new year we're going to launch a public-facing campaign  on the Investigatory Powers Bill. The Joint Committee, who are examining the Bill, will report back in February and there will be media and political interest in what they have to say. At this point we need to put pressure on MPs and members of the House of Lords who will amend, debate and vote on the Bill.

The focal point of this campaign will be a short film that shows exactly what mass surveillance means and the implications of what the Government is proposing. If we raise enough money, we will also produce other marketing materials, such as ads and flyers to increase awareness.

Can you help us make it happen?

Please donate to support our Indiegogo campaign!

[Read more]

: E-voting's Unsolvable Problem-->
  • ORG Glasgow: A discussion of the General Data Protection Regulation (GDPR)
  • ORG Aberdeen: March Cryptonoise event
  • ORG North East: Take control of your online life
  • ORG Cambridge: Monthly March Meetup