April 23, 2015 | Ruth Coustick-Deal

#GE2015 Thank You

We know that candidates are very busy with canvassing, emails and public meetings. They are being asked to talk on lots of different topics to lots of different audiences all the time. That's why we are very grateful to all the candidates, groups and politicans who took the time to come along to one of husting events and answer question on digital rights.

Thank you!

Brighton husting crowd


Candidates we'd like to thank

Manchester Central

Rosa Battle (Labour Councillor for Beswick and Openshaw) in place of Labour and Co-op candidate Lucy Powell @rosa_battle @LucyMPowell
Xingang Wang (Conservative) @XXingang
Kieran Turner-Dave (Green) @ktd_91
Myles Power (UKIP) @myleslgpower
Loz Kaye (Pirate Party) @LozKaye
Alex Davidson (TUSC) @AlexDavidson82
Paul Davies (Communist League)
38 Degrees Manchester
Equality North West @equalitynrthwst


Charlotte Leslie (Conservative) @CLeslieMP
Justin Quinell (Green), @justin_quinnell
Darren Jones (Labour) @darrenpjones
Clare Campion-Smith (Liberal Democrat)
Michael Frost (UKIP) @TheFrostReport
Anne Lemon (TUSC)
Greater Bristol Alliance

Caroline Lucas (Green) @CarolineLucas
Purna Sen (Labour) @Purna_Sen
Clarence Mitchell (Conservative) @mitch_1uk
Chris Bowers (Liberal Democrat) @chris1bowers
Nigel Carter (UKIP) @NigelCarterUKIP
Howard Pilott (The Socialist Party of Great Britain)
Nick Yeomans (Independent)

[Read more]

April 17, 2015 | Ed Johnson-Williams

Surveillance in the General Election Manifestos

Nearly all of the main parties at this General Election have now published their manifestos. Where do the parties’ manifestos stand on surveillance?

We’ve picked out the most relevant parts from their manifestos on surveillance.

You can read more of what the parties have said in their manifestos on all the issues relevant to ORG on our wiki. There are also links to the original documents so you can have a look at them.


We will need to update our investigative laws to keep up with changing technology, strengthening both the powers available, and the safeguards that protect people’s privacy. This is why Labour argued for an independent review, currently being undertaken by David Anderson. We will strengthen the oversight of our intelligence agencies to make sure the public can continue to have confidence in the vital work that they do to keep us safe.

Labour have provided a rather vague statement on their plans. They call for “strengthening the powers available” but it isn’t clear which powers they think need strengthening. We are also unclear on which safeguards they think need to be put into place to protect people’s privacy. Improving oversight of the intelligence agencies is an important area to reform. In our view though, it is also important that the powers and capabilities of the intelligence agencies, as revealed by Edward Snowden, are limited to targeted surveillance on people suspected of crimes. Labour have not committed to any change to the bulk collection of our internet use that GCHQ currently undertakes. It is disappointing that a party which makes so much of its support for the Human Rights Act elsewhere in its manifesto does not see the human rights of privacy, freedom of speech and association as important enough to change its approach to state surveillance.


We will keep up to date the ability of the police and security services to access communications data – the ‘who, where, when and how’ of a communication, but not its content. Our new communications data legislation will strengthen our ability to disrupt terrorist plots, criminal networks and organised child grooming gangs, even as technology develops. We will maintain the ability of the authorities to intercept the content of suspects’ communications, while continuing to strengthen oversight of the use of these powers.

[W]e will ban the police from accessing journalists’ phone records to identify whistle-blowers and other sources without prior judicial approval.

The Conservatives want to increase the surveillance powers available to the police and intelligence agencies. Like Labour, there is no detail on which powers they would strengthen in particular. They say they will introduce "new communications data legislation" which we can only assume is a revamped Communications Data Bill - commonly known as the Snoopers' Charter. The bulk collection of the content of our communications revealed in the documents released by Edward Snowden is not addressed. It is right that police should need judicial approval before they can access journalists’ phone records but judicial authorisation for surveillance should be sought before surveillance on all of us, not just journalists. There is no explicit mention of David Cameron's previously stated principle that all communications should be accessible by the state even when they have been encrypted.

Liberal Democrats

We will:

  • Ensure judicial authorisation is required for the acquisition of communications data which might reveal journalists’ sources or other privileged communications, for any of the purposes allowed under RIPA; and allow journalists the opportunity to address the court before authorisation is granted, where this would not jeopardise the investigation.
  • Ensure proper oversight of the security services.
  • Establish in legislation that the police and intelligence agencies should not obtain data on UK residents from foreign governments that it would not be legal to obtain in the UK under UK law.
  • Oppose the introduction of the so-called Snooper’s Charter. We blocked the draft Communications Data Bill and would do so again. Requiring companies to store a record of everyone’s internet activities for a year or to collect third-party communications data for non-business purposes is disproportionate and unacceptable, as is the blanket surveillance of our paper post.
  • Set stricter limits on surveillance and consider carefully the outcomes of the reviews we initiated on surveillance legislation by the Royal United Services Institute and the Independent Reviewer of Terrorism Legislation David Anderson QC. We are opposed to the blanket collection of UK residents’ personal communications by the police or the intelligence agencies. Access to metadata, live content, or the stored content of personal communications must only take place without consent where there is reasonable suspicion of criminal activity or to prevent threats to life.
  • Uphold the right of individuals, businesses and public bodies to use strong encryption to protect their privacy and security online.

The Liberal Democrats give much greater detail on what they would like to see on the issue of surveillance than Labour or the Conservatives. This should be welcomed. We are happy to see that they oppose the blanket collection of UK residents’ personal communications by the police or intelligence agencies. It will be interesting to see whether they retain their opposition to blanket collection if the reports mentioned above in their manifesto do not share their position. There is also a good commitment to the right to use strong encryption online. We welcome the Liberal Democrat’s call for judicial authorisation before journalists' communications data is accessed but we think this should be necessary before bulk collection of our communications is carried out.

Scottish National Party

We do not support Tory plans for the reintroduction of the so-called ‘snoopers’ charter’, which would see all online activity of every person in the UK stored for a year. Instead, we need a proportionate response to extremism. That is why we will support targeted, and properly overseen, measures to identify suspected extremists and, if necessary, examine their online activity and communications.

It is good to see that the SNP opposes the Snoopers' Charter on the grounds that storing everyone's online activity is a disproportionate response to extremism. Their support for surveillance being targeted at the online activity of those identified as suspects is very welcome. We hope that they would apply these principles to their position on surveillance legislation in the future.



Currently, British intelligence is fragmented between a number of agencies, including MI5, MI6, GCHQ and BBC Monitoring. All have different funding streams and report to different government departments. This generates a significant overlap in work and resources and risks exposing gaps in the system.

UKIP will create a new over-arching role of Director of National Intelligence (subject to confirmation hearing by the relevant Commons Select Committee), who will be charged with reviewing UK intelligence and security, in order to ensure threats are identified, monitored and dealt with by the swiftest, most appropriate and legal means available. He or she will be responsible for bringing all intelligence services together; developing cyber security measures; cutting down on waste and encouraging information and resource sharing.

At our recent civil liberties hustings in Brighton Pavilion, the UKIP candidate said that his party opposes “all general surveillance”. There is no sign of that in their manifesto. They say nothing about which surveillance powers GCHQ should have, how they should be overseen and how they should get authorisation. There are currently two reviews of surveillance being carried out and their manifesto mentions neither of them. It is surprising, to say the least, that after nearly two years of news about GCHQ surveillance, UKIP’s only response is that there are too many intelligence agencies and that too many resources are being wasted.

Green Party of England and Wales

We would:

  • Oppose any case for secret unaccountable mass surveillance of the type exposed by Edward Snowden. We do accept that government law enforcement agencies may occasionally need to intercept communications in specific circumstances. Such specific surveillance should be proportionate, necessary, effective and within the rule of law, with independent judicial approval and genuine parliamentary oversight.
  • Replace the Regulation of Investigatory Powers Act 2000, which has failed
    • to regulate the deployment of undercover police;
    • to support the confidentiality of journalistic sources;
    • to support legal confidentiality; and
    • to enshrine an open and effective right of redress.

The Green Party have released a manifesto with very strong commitments on surveillance reform in line with the calls of the Don’t Spy On Us campaign. They are the only party to mention Edward Snowden in their manifesto! Their calls for targeted surveillance that is proportionate and with independent judicial authorisation are very welcome. They also note the problem that victims of inappropriate surveillance do not currently have a right of redress; another of the Don’t Spy On Us principles.

Plaid Cymru

Plaid Cymru have not included anything about surveillance in their manifesto.


[Read more]

April 07, 2015 | Elizabeth Knight

Status of data retention in the EU following the CJEU ruling - update April 2015

In December 2014 ORG prepared a table showing the status of data retention in the EU, following the CJEU's decision in the Digital Rights Ireland case. We have now updated the table to show the position in April 2015.

We prepared the chart using information provided by member organisations of EDRi (European Digital Rights). Many thanks to all those who contributed.

The table can be found here. 

[Read more]

March 19, 2015 | Lydia Snodin

Digital Rights Are For Everyone, Including Young People.

On Saturday 14th March, Open Rights Group ran workshops with young women about online privacy. Read about what teenage girls had to say about digital rights and why we should listen to them.

When I was 17 I skipped an afternoon of sixth form to join the Open Rights Group outside parliament to protest the Digital Economy Bill. That was in 2010; I didn't know that five years on I'd actually be working for ORG campaigning on these issues! It's understandable but misguided to assume that young people don't care about digital rights. But you don't have to take my word for it as we recently spoke to 50 young women about digital rights!

On Saturday we ran a series of interactive workshops at Being Watched, an all day conference for young women, aimed at helping them to regain control in the online world. It was organised for Empowerment People by Jo Lane (who promotes healthy and safe relationships through Inspire Safer Futures) in partnership with other community groups such as Feminist Webs that do fantastic work empowering young women. I encourage you to have a look at their work.

During our four sessions, we spoke to teenage girls about how people lose control of information about themselves online. Within five minutes of the opening workshop we were getting questions about whether Facebook could read their messages, and it only got more interesting. 

ORG's Communications Director Pam Cowburn (left) and Local Groups Co-ordinator Lydia Snodin (right) introduce the workshop. Photo Taken By: Najah Jane Morris

Drawing inspiration from a Tactical Technology Collective project, we asked everyone to draw their 'digital shadow', meaning a shadow representing the applications and programmes which were storing information about them. See the pictures below to see what our wonderful participants came up with! I couldn't include all the great ones here, the rest of them (and more photos from the day) are on our Flickr.

Teenage girl drawing her 'Digital Shadow' Photo: Jo Lane

50 teenage girls gave up their Saturday to discuss the topics ORG campaigns on. Not only that but they were interested, engaged and made a lot of valuable contributions to the debate on online privacy. We covered ideas like striking the balance between convenience and personal privacy, how pressing 'delete' doesn't always mean what we think it does and the security services and mass surveillance.

It's not true that young people don't consider online privacy and more broadly digital rights. All we need to do is give them the tools to start thinking about the more hidden side of the internet and they'll work the rest out themselves.

As well as online security workshops for young people, we're also developing them for journalists, lawyers and activists. With your help we can continue running bigger and better sessions, not only to spread our message but so we can hear what digital rights mean to different groups.

Talking to the young women about what privacy means to them. Photo: Najah Jane Morris

Please support ORG by joining today:

Thank you for helping us campaign!


Local Groups Co-ordinator at Open Rights Group

Credits: Images by Jo Lane and Najah Jane Morris - thanks to them for letting us include them in this article.

[Read more]

March 19, 2015 | Ruth Coustick-Deal

Why do digital rights matter?

Today we're asking our members and supporters to tell us why digital rights matter, and to help us fundraise for our work.

This isn't just a question for our members, so I asked the staff in our office what motivates them and their campaigning for digital rights:

“I love the Internet. I grew up on it, and like many of us watched it evolve from the whirring sounds of dial-up on a massive computer, to reading the news on my smart phone. I love it because it opened my eyes. Without the teen forum on world issues I wouldn’t have learnt about feminism and campaigning, and without the call to listen on Twitter I wouldn’t have been able to see the police violence in Ferguson or the protests in Gezi Park as they happened. That’s why I think it is vital that we all campaign against online censorship and surveillance. The Internet should be a place where the marginalized are able to have a powerful voice, amplified across the world, not suppressed and silenced by governments and companies through secretive web blocking and surveillance.”
-Ruth Coustick-Deal, Supporter Officer

"Digital rights are human rights. I’ve always been passionate about promoting human rights, across a range of issues including migrants’ rights and women’s rights. The Snowden revelations made me realise that surveillance is currently the greatest threat to human rights in the UK. As our use of digital technology increases, so does the importance of ensuring our rights to privacy and freedom of expression are protected. I believe in fighting to enforce our fundamental human rights in the face of mass surveillance by government agencies. I also believe in fighting for protection of our personal data in the face of companies' thirst for data. For me, fighting for digital rights means claiming what is ours."
-Elizabeth Knight, Legal Director

 "We used to talk about two separate worlds: the real and the virtual. Their convergence has opened a new front in the fight for human rights - a front no less important to us now than our historical struggles for equality, privacy, freedom and security. Why do I believe #DigitalRightsMatter? Because the internet is real life."
-Richard King, Project manager

"When I was at university, I barely used a computer until one day I did a course called 'The Information Superhighway for Arts Students'. I don’t think the phrase digital rights existed back then and I certainly never imagined that I would one day work for a digital rights organisation. But you don't need to be a digital native or even tech savvy to think that digital rights matter. You just need to care about human rights and want to live in a world where your rights to privacy and free speech are protected. #DigitalRightsMatter because they are for everyone"
-Pam Cowburn, Communications Director

"Our lives are increasingly mediated by digital technologies with far reaching consequences. These technologies can be a force for good, but the story is still in the making, with nobody certain of how it will end.

The original grand visions where the internet would bring universal access to knowledge have been challenged by established cultural industries and their political lackeys. But these industries are also supported by well-meaning politicians concerned about jobs, as whole economic sectors become de-localised.

New technologies break down the barriers that have kept humanity within national borders for hundreds of years, but are also used by sectarians, criminals and bigots to reach a global audience.

With our new freedoms we should learn our new responsibilities However, governments of all hues are building paternalistic and socially divisive mass surveillance systems. They hope to get away with it because they can mirror the data monopolies of big internet businesses, built on the promise of convenience.

The fascination with technology can takes us to a black and white world that either mindlessly celebrates disruption or wishes the clock could be turned back. In my work at ORG I try to promote the best that the digital world can offer us, while trying to navigate the grey areas."
-Javier Ruiz, Policy Director

"In 2010, I skipped an afternoon of sixth form to join ORG's Digital Economy Bill protest outside parliament. My understanding then was quite a black and white 'the internet is good, taking it away is bad' approach. What I think now is still pretty similar – although a bit more nuanced! Digital Rights are important because open and free access to the internet is lifeline for people in need. My teenage years would have been much more difficult without access to websites where I could read about anything and everything. The internet is a lifeline that we need to protect."
-Lydia Snodin, Local Groups Coordinator

Tell us why you believe in digital rights! Join the conversation:

Twitter button

Facebook button

[Read more]

March 19, 2015 | Jim Killock

Why are digital rights important?

What are digital rights? And why do they matter? Executive Director Jim Killock gives an overview of why these principles are key right now.

Digital rights are your human rights in the digital age. They are one of the most important aspects of your human rights today: privacy and free expression online are among the most contested. The digital rights movement exists because we need people to understand how technology is shaping our rights, for good and for ill, and who it is who is seeking to employ and capture technology for their benefit rather than yours.

Let’s take a few examples. Privacy is one of your most important rights. Yet most people tend to think of privacy as a question of private life, the choices you make about your person and the things that make you uncomfortable. In the digital world, privacy is a question of personal information, automated judgements and profiling. Many people want to know everything they can about you, because they can – or hope they can – make money out of this. GCHQ perhaps wants to know if you are a threat; and they help the NSA get to know you in case you are politically or economically interesting.

Privacy in a digital age is about political and economic assessment. Personal information is at the root of many power structures and our relationships with government and private companies.

While it is often of benefit for this information to be used, we should be making the choices over how it is used, except in very extreme circumstances.

To take another right, free expression in a digital age is of course benefiting from a huge surge of new ways to communicate. This is a revolution, the most positive side to the digital story. It is not, however, without its problems. UK laws still criminalise ‘grossly offensive’ speech, and at the same time there are victims of sustained campaigns of harassment on social media whose abuse can be dismissed by police as too difficult or costly to prioritise.

The result is that increasingly we expect companies to judge the boundaries of speech, including anonymous speech. This can be very problematic.

Governments too try to limit speech, and often want to do this with limited or no accountability. Extremist content in the UK is taken down by government making requests to companies to remove it under their terms and conditions. A court is never involved. Is this appropriate or accountable? Lists of blocked and removed material are not available, even under freedom of information.

ORG is often making simple arguments about transparency and accountability. As with copyright blocking, these are arguments we can and do win. Even in relation to surveillance, the Intelligence and Security Committee (a parlimentary body whose role is to provide over sight of intelligence activity) has shown that the battle for greater transparency and accountability is one we can win. We are taking action in the courts, which also show we can win the battle for limited and targeted surveillance.

The real battles however are political. That is why a movement is required.

Political change requires social change, which needs education, discussion and arguments to be won.

That is why ORG needs you: both to help us make the case on your behalf, at the highest level to politicians and the media, and to empower you to explain what needs to be done to friends, family and to your elected politicians. Together we have a voice that matters, and that is why you should join today.

[Read more] (1 comments)

March 19, 2015 | Cory Doctorow

Every issue is a digital issue

It is ten years since Cory Doctorow helped Danny O'Brien and Suw Charman-Anderson found ORG, the UK still needs its own campaigning digital rights group.

A message from ORG Advisory Council and founding member Cory Doctorow on why digital rights matter.

It's been ten years since I helped Danny O'Brien and Suw Charman-Anderson found ORG, because the UK needed its own campaigning digital rights group.

A decade ago, it was rare to hear politicians speaking about the need for a free, open Internet -- and even rarer to meet one who understood what that meant. Despite the number of foot-in-mouth inanities mumbled by today's crop of technologically ignorant pols, it was much, much worse then.

And of course, today, every issue is a digital issue: you can't talk about the economy, security, health or education (let alone elections) without talking about digital rights.

Every issue is a digital issue: from mass surveillance to how you read your ebooks; from parody and making backups to NHS data sharing; and of course, every flavour of privacy, including the phone companies' misuse of your personal information.

Politicians today recognise this, but they don't understand it. Every tech policy out of Westminster is a silly quick-fix that provides a good headline but makes things worse. Think of "web filters" which are supposed to protect children, but still let through mountains of porn, while denying kids access to legitimate, important information and unaccountably blocking access to charities and other sites.

When politicians get it wrong, ORG tells them -- and the world -- about it.

ORG is in it for the right reasons: a society free from unaccountable surveillance and censorship; a state that is transparent and accountable; and an Internet that is available for all as a force for creativity, agency, and freedom.

This election, ORG will make politicians commit to those values. Elections are the one time politicians *have* to listen to the voters.

We need your support so that digital rights are always where they belong: right in the centre of every debate.

ORG is up to *3,000* members, and has been doing fantastic work for a decade. Today ORG celebrates that history by looking to the future with Digital Rights Matter Day. Members are sharing their stories about the importance of digital rights on social media.

That's where you come in: please join and share your story and help us keep the Internet free and open.

Thank you,

[Read more]

March 16, 2015 | Jim Killock

GCHQ’s hacking technologies go unregulated and unsupervised

As reported in Wired, GCHQ’s development of hacking technologies is completely absent of external regulation, and their bosses at the Foreign Office lack the ability to understand what they are doing.

This is detailed in last week’s Privacy and Security report from the Intelligence and Security Committee in paragraphs 179–183.

However, the report does not recommend any serious fix to this area of oversight. GCHQ’s hacking technologies, when specific methods are employed and the risks they consider, would continue to be a matter for their judgement alone except in extreme circumstances, even if the ISC’s changes are accepted by government.

The ISC examined GCHQ’s attempts to get around encryption and engage in ‘equipment interference’. They noted that developing these technologies is not subject to any ministerial warrant or external permission (my emphasis):

180. The legal basis for this work is the general power afforded to GCHQ under Section 3(1)(a) of the Intelligence Services Act to:

... monitor or interfere with electromagnetic, acoustic and other emissions and any equipment producing such emissions and to obtain and provide information derived from or related to such emissions or equipment and from encrypted material.

No additional Ministerial Authorisation is required for these activities. There are internal procedures: ***. There is no legal requirement to inform Ministers: however, GCHQ have said that they would ask the Foreign Secretary to approve a specific operation of this kind “where the political or economic risks were sufficiently high” (although, in practice, they manage their operations to avoid this level of risk). GCHQ told the Committee that:

The FCO is aware of the activity and the possible political risk, but individual legal authorisations are not required for each operation. The FCO could assess the political risk of a compromise, it is not well‐placed to assess the complex technical risk. Whilst not formally overseen by a Commissioner, the Intelligence Services Commissioner has been briefed on this type of activity where it relates to individual approved operations.

This is a very frank omission, that GCHQ ‘s hacking techniques are not subject to oversight, and the political masters at the FCO lack the ability to assess the technical risks. Implicitly, the ISC and Intelligence Services Commissioner also fail to look at the risk assessments and technical implications.

Only days ago, Phillip Hammond, the Foreign Secretary and the man in charge claimed:

[The agencies’] actions are subject to detailed Ministerial oversight: between the Prime Minister, the Home Secretary and me, we spend hours every week with the agencies, ensuring that this Government is doing everything it can to keep the British people safe. … 

I regard the independent scrutiny and oversight that the ISC provides as a particular and significant strength of the British system.

However, in relation to hacking technology oversight is absent: the FCO have a policy of “we trust them, they say they know what they are doing, and we wouldn’t understand anyway”. The ISC concludes (my emphasis):

DD. GCHQ need to be able to read the encrypted communications of those who might pose a threat to the UK. We recognise concerns that this work may expose the public to greater risk and could have potentially serious ramifications (both political and economic). We have questioned GCHQ about the risks of their work in this area. They emphasised that much of their work is focused on improving security online. In the limited circumstances where they do *** they would only do so where they are confident that it could not be ***. However, we are concerned that such decisions are only taken internally: Ministers must be kept fully informed of all such work and specifically consulted where it involves potential political and economic risks.

In other words, GCHQ should choose when to inform ministers, but there is an absence of any plan to introduce oversight and assessment of the technical risks. The new policy would amount to: “we trust them, they will tell us if there is a problem. But we don’t want to be bothered with the technical details”.

What should the FCO and ISC be weighing up?

Assessing the appropriateness of GCHQ’s technologies does indeed rest on some very tricky calculations. Hacking tools depend on using problems in software. These can come from known bugs, bugs that GCHQ finds, are given by the NSA or are otherwise presumed to be unknown beyond the agencies, or they can be placed into software. Sometimes encryption may be weakened by simplifying the protocols for instance.

All of these strategies are problematic from one point of view or another. It is very hard to know that if software is broken, the problem will not be discovered and used by someone else. The damage might be felt through action from other agencies or criminal gangs. The people affected could be individuals, banks, or businesses, in any country, not just the UK. The damage could include any kind of financial or data theft, or even acts of sabotage.

Where rare bugs are found or used, security engineers argue that these are the ones they need to know about most, so they can learn from them and anticipate new solutions. So even when GCHQ thinks their exploits are the least likely to be found, they are potentially denying security engineers the opportunity to solve security’s most important new problems. This is the principle of ‘full disclosure’ which has been a foundation stone of security research for decades.

Government should also assume that for every Snowden there are several other people giving secrets quietly to other parties. That will range from organised crime, to foreign agencies, to third parties in order to cause embarrassment and loss of contracts. This of course makes the use of undeclared exploits an even more risky proposition.

Even where well-known bugs are used, GCHQ are creating an incentive not to inform them of specific exploits or press companies into action. And yet GCHQ also has a role, in CESG, in “Information Assurance”, that is to say, improving general security of computer systems in the UK.

Breadth of GCHQ hacking technologies

The hacking operations from GCHQ are enormous. We have reviewed the public information in Chapter two of our report on GCHQ's activities.

It’s important to note that they have huge resource and technology sharing with the NSA (and their equivalents in Canada, Australia and New Zealand) so that their operations are virtually inseparable in many aspects.

The Snowden documents detail very sophisticated operations, where GCHQ use their access to cables to ‘inject’ malware into normal online communications. The documents show they build malware, have created fake LinkedIn pages and emails, and show they have hacked into major companies including Belgacom and Gemalto. Belgacom’s clean up operation has cost them at least £12 million.

There is evidence that GCHQ and NSA share ‘zero day’ (unpublished) bugs. GCHQ specialises in mobile phone hacking (see NOSEYSMURF for instance). Recent allegations also include a CIA programme to break into Apple phones and tablets.

It may be that their decisions are entirely well judged, but they have an incentive to break into many, many computer systems, and create as much access as possible. The risk calculations are very complicated and yet politicians and oversight are, it appears, not involved in these calculations at all.

Consultation on GCHQ hacking

The government is running a consultation on “Equipment Interference” and a proposed Code of Practice. They are doing this because it is one of several areas where the law is highly unclear about what kinds of activity may be taking place, which is likely to fall foul of ECHR requirements for clear surveillance laws. We believe that primary legislation is needed to meet these concerns. While the Code of Practice is an attempt to regulate these actions, it does not focus on the methods and the oversight needed to control risks associated with these tools, so fails to address our concerns. 

Oversight’s task: legality and effectiveness

This lack of attention goes to the heart of what is wrong with current oversight. For a start, oversight is far more reliant on the agencies’ political masters than independent overseers. Ministers have far more chance of forming an accurate view than the ISC, but may also not feel any desire to get into levels of detail. Independent oversight concentrates on the low barrier of ensuring the agencies comply with current laws rather than examining whether their activities are justifiable.

ORG and civil society tend to concentrate on the basic human rights question: are you targeting your response to what is necessary to deal with specific suspects?

On the other hand, ministers and oversight appear to approach GCHQ’s surveillance as a simplistic question of whether they are reducing the risk of terrorist activity to as close to zero as possible. Cameron claimed that he doesn’t want to be the Prime Minister who failed to give the agencies the tools they needed to prevent a murder. Or, as Malcolm Rifkind put it to campaigners at the hearings: is a terrorist atrocity a price worth paying for privacy?

The problem with Cameron and Rifkind’s approach is that their judgements about GCHQ’s work could be placing us at greater risk of a terrorist threat, or other very serious criminal threats, but they have no real idea if they are doing so.

On a broad level, the ISC is failing to assess the relative cost effectiveness of different strategies, for instance of human intelligence versus automated bulk surveillance.

Given that recent terrorist atrocities have all involved people known to the authorities, we might speculate that traditional intelligence may have not been given sufficient resources. GCHQ is extremely costly, and eats up a great proportion of the intelligence budget. How does the Prime Minister and the ISC know whether they are placing resources into the right strategy? How do they establish if they are not in fact being the ISC and Prime Minister that placed people in danger by failing to know what really works?

While hard, ways to achieve these calculations are the subject of intense investigation, including in academia, where it is known as security economics.

No real oversight of GCHQ hacking technologies

In relation to hacking technologies, the FCO and ISC are failing to examine GCHQ’s underlying risk models, the risks GCHQ takes into account and the values they give to different negative outcomes.

Oversight needs a step change. Sometimes we spell this out by saying to them that they need technical advice to understand the problems. To be completely clear, the ISC, Commissioners and political masters such as the FCO need to understand the risk modelling and make their own cost-benefits analysis. Without technical understanding of their own, they cannot make the calculations. Without making the calculations, they are blindly trusting GCHQ.

While Foreign Secretary Phillip Hammond claims that “independent scrutiny and oversight of the ISC provides … a particular and significant strength of the British system” the ISC has in fact admitted that it and the FCO are absent of the necessary knowledge to understand the risks they are undoubtedly running.

[Read more]