July 22, 2015 | Maxine Chng

UK Court rules DRIPA unlawful

Last week, the High Court ruled that the Data Retention and Investigatory Powers Act 2014 (DRIPA) was inconsistent with EU law.

The successful judicial review was brought by Liberty, represented by David Davis MP and Tom Watson MP, with ORG and PI acting as intervenors.

The case was originally presented as a human rights challenge, but the central questions that were examined in court concentrated on whether or not the powers conferred by DRIPA were compatible with EU law. These were questions that ORG brought to the court. In answering this question, Lord Justice Bean and Mr Justice Collins confirmed that EU law, as set out by the Court of Justice of the EU in the case Digital Rights Ireland (DRI), is indeed applicable to UK law.

The High Court ultimately found that DRIPA was incompatible with EU law and referred to two Court criteria laid down by the CJEU in the DRI judgment. Firstly, DRIPA failed to provide clear and precise rules regarding the access to and use of the retained communications data. Secondly, DRIPA does not make prior review by a court or an independent administrative body a mandatory requirement for access to the retained data.

Although it is now clear that the DRI judgment applies to UK law, not all of the CJEU's demands have been accepted by the UK courts. One of the remaining issues is that the retention of data should be restricted to a particular time period, geographical area and/or persons. However, the High Court thought that such a restriction would be completely impractical. According to the High Court:

“The CJEU cannot have meant that CSPs [communication service providers] can only lawfully be required to retain the communications data of “suspects or persons whose data would contribute to the prevention, detection or prosecution of serious criminal offences”. Such a restriction would be wholly impracticable. Rather the Court must be understood to have held that a general retention regime is unlawful unless it is accompanied by an access regime which has sufficiently stringent safeguards to protect citizens’ rights set out in Articles 7 and 8 of the Charter.”

This makes way for general retention practices which may be over-broad. We should note that the CJEU in DRI was specifically concerned about the proportionality of any interference with the rights guaranteed under the Charter. It is difficult to see how such general retention powers can be proportional, given that they affect even persons for whom no evidence exist to suggest their involvement in serious crime.

The High Court ruled that a general retention regime must be accompanied by an access regime, whereby there must be prior review by a court or an independent administrative body.

An access regime is necessary to ensure that the access to and use of such data is strictly restricted for the purposes such as national security, defence and public security. However, an over-broad data retention practice may not be counteracted simply with a narrower access regime. This is because broad retention practices create a large pool of personal information that can still be preyed upon by those who are not authorised to access it. Data retention in a generalised manner also creates a chilling effect, capable of undermining the freedom to information as users' distrust of the internet as a means of communication grows.

The High Court has also opened the question of UK's authorisation regime for data requests. The CJEU judgment requires independent prior review for access to retained data. This judgment does not address personal data held by telecoms companies for business purposes or with consent from users. The access regime for personal data retained or just held is provided under RIPA, which allows for self-authorisation by the police. It would be highly impractical to run two separate access regimes for retained and other personal data. Now that the court has flagged this matter up, the Parliament has the opportunity to reconsider the access regime as a whole.

The High Court's judgment is very welcome as it asserts the supremacy of EU law which has properly considered the retention and protection of data. A similar question with regards to the general retention of data has also arisen in Sweden, with their courts asking the CJEU to clarify if:

“Retention [may] nevertheless be permitted where access by the national authorities to the retained data is determined as described below; security requirements are regulated as described below; and all relevant data are to be retained for six months … and subsequently deleted…..?”

This issue is still ongoing as the CJEU's final opinion is yet to be seen. Worryingly, the CJEU may not hear from civil society intervenors. Similarly, we can expect the UK government to appeal the decision and perhaps request a reference back to the CJEU. Meanwhile, other countries – including Belgium, the Netherlands, Germany, Austria, Bulgaria, Romania and others have removed data retention from their laws. So far, their police seem to be detecting crime without major complaints.

[Read more] (1 comments)

July 14, 2015 | Jim Killock

RUSI review adds to consensus for reform

The RUSI review offers few surprises, and has turned out to be less a trailblazer, and more an indication of what the security establishment believes the agencies might accept.

Their Panel included three former senior security staff, and RUSI are themselves very close to the UK’s defence and security apparatus. Thus the tone of the report was always likely to address the concerns of GCHQ and the Foreign Office before those of civil society. Martha Lane Fox, Ian Walden and Heather Brooke will have had a tough job to help produce a relatively balanced report that does at least go some way to address wider concerns.

RUSI follows reports from the Independent Reviewer of Terrorism Legislation, David Anderson, and the Intelligence and Security Committee, so makes reference to many of their ideas. The RUSI report does less well than Anderson Report in one very key regard: it does not set out the need for human rights courts to set the boundary between “bulk collection” and “mass surveillance”. It is hard to say that bulk collection should never take place (it might sometime be necessary and proportionate) but it will rarely happen in isolation. Combined with processing and profiling, it is hard to see GCHQ’s activities as anything other than mass surveillance.

The reason that all of the reports have strained to avoid calling out the government on mass surveillance comes in two parts. Firstly, the ISC, Anderson and RUSI are to different extents insider voices. Anderson has been the most independent and critical, but is playing the role of a reviewer, not a human rights court. He has maximised his ability to make constructive criticism, and advance sound ideas of reform, but stepped back from making the most serious challenges, leaving this question to higher powers, in the form of the courts. The ISC published a report which mixes justifications with good ideas for change, but is less critical than Anderson. RUSI falls somewhere between the two.

The important thing to note is that consensus is emerging on many areas, especially around the need for much stronger oversight and clearer laws. All the reports focused on the need to rewrite RIPA, as essentially incomprehensible. Anderson and RUSI talk about merging the fractured Commissioners to ensure that their role is strengthened. All three want better means for individuals to seek redress through the Investigatory Powers Tribunal and to appeal if it rules against them.

Anderson opened up the call for judicial warrants for interception, and RUSI has come some way to accepting this idea. Both RUSI and Anderson back the idea of international treaties to govern data requests (called Mutual Legal Assistance Treaties, or MLATs) as a key mechanism for gaining access to material needed in investigations.

RUSI is silent on the question of new powers of bulk collection and analysis that we are expecting to be proposed for the police in the proposed Investigatory Powers Bill this Autumn. RUSI focuses on technical oversight and improving national police strategy and training.

Theresa May however has indicated she wants the powers she was denied when the Snoopers’ Charter, or Communications Data Bill was dropped. The ISC stopped short of demanding these powers in their report, and Anderson said that any such capabilities needed to be preceded by a clear operational case, which he had not seen. However, after the recent atrocities in Tunisia, the Home Office will likely sense an opportunity to push Labour towards a consensus for new powers, even if they are entirely unrelated and unlikely to help. Labour should simply apply the tests that Anderson has placed in front of them: what problem are the capabilities actually supposed to be dealing with and at what cost?

RUSI’s report no longer has the political clout stemming from its original association with Nick Clegg as Deputy Prime Minister. The benchmark for reform is the Anderson report, as it was commissioned through Parliament, and Labour claim it as their concession for backing the emergency DRIP bill. If we expect the government to seek cross party consensus, then we should be looking to Anderson to persuade Labour and independent-minded Conservatives of the kinds of change they should be looking for.

[Read more]

July 10, 2015 | Jim Killock

Caspar Bowden

We’d like to express our sorrow at Caspar Bowden’s passing, and to note some of his very remarkable achievements over the last few years. Caspar has been an active member of our Advisory Council since joining it in October 2013 and helped us greatly with our views on surveillance policy, security and European data protection.

Among his contributions to ORG were a series of lectures he gave prior to the PRISM revelations, where he pointed out the gaping holes in US legislation that could allow bulk collection and access to US corporations’ data vaults. At the time, he was pretty much the only person in Europe making these points, cogently and loudly.

Caspar also condemned the holes in European data protection legislation that made US political surveillance impossible to resist. He was consistent in showing the flaws in data transfer rules that would make Europeans’ data rights increasingly impossible to protect. On all these points, Caspar has been setting the agenda, and pushing harder than the Commission or US governments would like. Doing that puts you in a lonely place, and often does not win you friends, but his analysis and assessment of the importance of these points has been shown by events to be correct.

Caspar helped ORG with our work on the Snoopers’ Charter, which is the bastard child of data retention, itself one of his career long fights. He wrote in his chapter on data preservation for our report, explaining how data retention was being combined with collection and analysis:

The Home Office has the Olympic chutzpah to call the apparatus for data-mining all this information a “Filter”, and to justify it in the name of human rights. It says that by connecting up a virtual database (to hunt for arbitrary patterns of suspicion in all the data), they won’t have to build a new central database. But the point is the untrammelled power to hunt through every private life with the tools of military intelligence … It ought to be obvious that continuously recording the pattern of interactions of every online social relationship, and analyzing them with the “Filter”, is simply tyrannical.

Those kinds of observations are what made him an inspiration to campaigners and activists in the digital rights movement.

Caspar, you’ll be missed.


[Read more]

July 09, 2015 | Maxine Chng

DRIPA challenge in court today

The challenge to DRIPA brought by David Davis and Tom Watson was discussed in court today, as the government sought to refer key questions to the EU courts.

Last year, Tom Watson MP and David Davis MP representing Liberty, brought judicial review proceedings to challenge the Data Retention and Investigatory Powers Act (DRIPA). Earlier this year, ORG and PI were granted permission by court to intervene and made points about European law. Initially focusing on a question of compatibility with the European Convention on Human Rights (ECHR), the proceedings now concentrate on DRIPA's conformity with EU law, particularly Article 15 of the ePrivacy Directive.

Generally, the ePrivacy Directive provides for the individual right to confidentiality, erasure and anonymity of one's communication data. Article 15 sets out an exception, whereby Member States can restrict those rights when “necessary, appropriate and proportionate” to safeguard, among others: national security, defence and public security. ORG and PI highlighted in our interveners' submission that the Courts of Justice of the European Union (CJEU) in Digital Rights Ireland (DRI) had already set out the requirements that domestic law must follow in order to comply with Article 15.

Since then however, the government had requested for a reference from the CJEU to clarify how the DRI decision affects UK law. A hearing was held at the Royal Courts of Justice on Thursday morning to determine if the request for reference should indeed be granted.

The government claimed that the CJEU's decision in DRI was in relation to a different legal context, as it was made in reference to the Charter of Fundamental Rights of the EU. On the other hand, the current case tests DRIPA's compatibility with the ECHR or ePrivacy Directive.

Liberty opposed the government's request for a reference, concerned that a reference from the CJEU would only delay the judicial review proceedings. They contend that the relevant principles of EU law are already clear and have been fully considered by the CJEU in DRI. The court agreed and rejected the reference request. A draft judgment is expected to be issued next week.

[Read more]

June 23, 2015 | Ed Johnson-Williams

Net Neutrality in Europe in danger

Net neutrality is under threat in Europe and we urgently need your help before 29th June!

Net neutrality is the principle that Internet Service Providers should treat all data on the Internet equally. It's about minimising the restrictions on which parts of the Internet you can access. And it's about allowing startups to compete with big Internet firms and supporting innovation in the digital economy.

Shortly before the European Parliament elections last May, MEPs voted with a large majority in favour of net neutrality. The vote was a major step towards protecting the open internet in Europe. But then the European Council - which is made up of the Member states of the European Union - hammered out their version of what net neutrality rules they wanted. And it turns out that their version of net neutrality is not worthy of that name.

The Council's text could allow Internet Service Providers to charge customers and companies extra for receiving and delivering different types of online services. Only those who pay more will have easy access to an audience online. It would also authorise blocking of lawful content. This is completely counter to net neutrality and contradicts the Parliament's position.

The Council and the Parliament have been negotiating the final text of the new net neutrality rules for the last few months. And we've seen the Parliament give in to the Council's demands time and again while the Council has given up almost nothing. The Parliament have even conceded on the definition of net neutrality. The phrase net neutrality isn't even in the most recent working text. The Council has successfully replaced it with a vague "open internet" which suggests there is a "non-open" Internet, which is worrying.

If the Council gets their way then net neutrality in Europe will be under extreme threat. The next negotiations are set for 29th June. Until now MEPs haven't heard a lot from European citizens about why they need to stand up for their previous position in support of net neutrality. They need to hear from us now so they know that this is something European citizens care about.

Can you email and tweet the MEPs who are negotiating on net neutrality? You can choose to contact an MEP from the UK using the 'Filter by country' menu.

EDRi (European Digital Rights) have been doing outstanding work tracking and campaigning on European net neutrality proposals. EDRi campaigns for digital rights in the EU and ORG is one of their members. Find out more about their excellent work on their website.

[Read more]

June 11, 2015 | Pam Cowburn

Anderson review: "It is time for a clean slate"

The UK's Independent Review of Terrorism Legislation has said, “it is time for a clean slate” when it comes to surveillance law in the UK. In his report published today, David Anderson QC condemned the current legislative framework as, “fragmented, obscure, under constant challenge and variable in the protections that it affords the innocent”.

Anderson was tasked with reviewing surveillance law as a requirement of the Data Retention and Investigatory Powers Act – one of the concessions gained by Labour and the Lib Dems in return for their support in rushing the Bill through Parliament last July.

Anderson, unsurprisingly, does not condemn mass surveillance in principle and endorses bulk collection by the security services, but the report does call for a radical overhaul of how surveillance is regulated.

Here are some of the key points:

Legal reform: Since the Snowden revelations began two years ago, Parliament has further legislated for surveillance through DRIPA, the Counter Terrorism and Security Act 2015 and amendments to the Computer Misuse Act that legitimise hacking by the security services. Anderson's damning verdict that the law, "is variable in the protections that it affords the innocent” can't be ignored. The report says: "A comprehensive and comprehensible new law should be drafted from scratch, replacing the multitude of current powers and providing for clear limits and safeguards on any intrusive power that it may be necessary for public authorities to use."

Warrants: Under the current system, warrants for surveillance are signed off by government ministers, who are not independent. Anderson's recommendations that warrants should be signed off by judicial commissioners is a welcome shift away from politicial authorisation but it would be preferable for warrants to go through the courts and be signed by serving judges to help make sure that surveillance is 'necessary and proportionate'.

Snoopers' Charter: Anderson says that extending capabilities through a new Snoopers' Charter should only happen if there is, “a detailed operational case needs to be made out, and a rigorous assessment conducted of the lawfulness, likely effectiveness, intrusiveness and cost of requiring such data to be retained”. So far the Government hasn't made such a case. In addition, it has made a report by Sir Nigel Sheinwald top secret. That report is believed to have suggested that a new international treaty could be a legal alternative to the Snoopers' Charter.  Despite this, the Home Secretary Theresa May today told the House of Commons that the re-drafted Snoopers' Charter would be laid before Parliament in the autumn - although it would be scrutinised by a Joint Commitee.  

It is unlikely that Anderson's review and the Intelligence and Security Committee's Privacy and Security report would have happened were it not for Edward Snowden's revelations. Two years on, there are still many battles to be fought but one thing is certain - the status quo cannot continue. MPs from all parties must act to ensure that the UK has surveillance powers fit for a democracy.  

You can sign our petiton against the Snoopers Charter here.

[Read more] (1 comments)

May 22, 2015 | Ruth Coustick-Deal

Imagine the web without hyperlinks

ORG is working with an international coalition of over 70 digital rights organisations, from Creative Commons to Thunderclap, to protect our ability to share content. The campaign is called Save the Link.

Our ability to link is under attack, and we need your help to save it!

We all love linking: passing on funny images, surprising stories, wise blog posts and sharp videos. But there are attacks to all of that on the horizon.

What's the threat?

In December 2014, Google permanently shut down the Spanish version of Google News. [1] They did this because amendments to Spanish intellectual property law imposed a compulsory fee for the use of snippets of text to link to news articles. [2]

In the EU, these same lobbyists have been working with the U.S. Trade Representative’s office to pressure lawmakers to upload the same Spanish link censorship laws to the entire European Union. [3]

These laws will effectively censor summaries of news content, as well as linking to legal content.

Let’s put a stop to this right now: Add your voice to the global network to Save the Link.

Such a plan would affect over 500 million citizens’ ability to use the Internet. Imagine using Twitter and not being able to link to a news article without paying a fee. It would shut down the spread of news. This is just one way copyright is being twisted to censor the Web – but it’s far from the only way. That’s why we are part of a huge network of individuals and organizations committed to stopping these censorship plans, wherever they emerge.

The bottom line is this: every successful scheme to censor links weakens the foundation of the Internet.

Speak out now and tell public officials that we’ll fight to Save the Link.

This email is part of a global campaign called 'Save the Link' of which ORG are a member.

[1] Google News in Spain

[2] Spanish Copyright Amendments Will Shakedown News Sites and Censor the Web

[3] An EU-wide ‘Google tax’ in the making?

[Read more] (1 comments)

May 14, 2015 | Ruth Coustick-Deal

We're 3000 strong

In the last few days over 200 people have joined ORG to become of the movement fighting back against Government plans to attack our digital rights. For the first time we have over 3000 members!

On Theresa May’s first day back in office she didn’t wait to re-arrange her desk plants, but instead committed to her favourite piece of legislation: The Snoopers’ Charter. [1] It's a discredited Bill that Parliament said gave insufficient attention to our human rights. It would give the powers of GCHQ to the Police. We don't yet know when it's going to happen, but we do know that we need to be ready for the big announcement.

And this law is just one in a long list of goals the Government have to attack our digital rights:

  • Scrapping the Human Rights Act.
  • Requiring Internet service providers to block websites.
  • Enabling employers to check whether an individual is an extremist.
  • Making every message readable by the state - even when we've encrypted it.
  • We're also worried that they may revive plans for a universally applied block list of extremist sites.
  • And they just announced yet another counter-terrorism bill which is expected to contain more restrictions on free speech, such as to require "extremists" to ask the police for permission to post on the Internet. [2] 

We have some tough fights ahead, including winning over as many Conservative MPs as possible to our side.

Can you join ORG to help us win?

We might not have the tempering influence of the Lib Dems to keep the Home Office in check:
But this time what we have is you.

In the past few days, 200 people joined ORG or increased their donation when they heard the annoucement.

In 2013 we saw the Snoopers’ Charter declared dead after a year of campaigning. Then earlier this year 4 House of Lords peers tried to sneak it in again by adding 18 pages of amendments to the Counter Terrorism and Security Bill. It was thanks to a quick response by ORG supporters, that it was stopped both times. For the first time ORG has over 3000 members: with all of us working together we can stop it again.

Just this week a group of our supporters met together in London to plan local activism in the fight against the Snoopers’ Charter, and we'll be announcing more actions in a couple of days.

Can you commit £5/month to support our work?

Thank you,

[1] The Independent - Snoopers' charter set to return to law as Theresa May suggests Conservative majority could lead to huge increase in surveillance powers [2] David Cameron to unveil new limits on extremists' activities in Queen's speech

[Read more] (2 comments)