January 27, 2015 | Jim Killock

Lords should drop the Snooper's Charter and let the parties set out their views at the election

Yesterday’s Lords debate ended up with the future of the Snooper’s Charter amendments uncertain, after considerable criticism of both the process and the principle of reintroducing the Communications Data Bill into the Counter Terrorism and Security Bill. Further debate on the amendments may come back at the report stage of the Bill.

Many Lords argued that Parliament should be given the chance to vote on the legislation, decrying the years of delay – read repeated defeats – in bringing this Bill into law.

However, one purpose behind the amendments now seems clearer. Lord Carlile and others want the publication of a revised Snooper’s Charter, which has apparently been drafted and is ready to be pulled out of the Home Office’s legislation drawer after the election, should a sympathetic Government be elected.

They in fact argued that they would have introduced the revised version, if only the government had published it. So any issues of failing to deal with the criticisms made during previous scrutiny of the Bill were the fault of the government, in the view of the proposers.

Perhaps the most amazing part of the debate was the near vacuum in discussing the necessary reform needed to deal with the current extent of secret electronic surveillance. Talk of a ‘capability gap’ and the need for new powers is an extraordinary reaction in the light of TEMPORA, EDGEHILL and other GCHQ programmes. Since the Snooper’s Charter was first proposed we have learnt of the pervasiveness of secret electronic surveillance. On the same day that the Lords were talking of a ‘capability gap’ and the need for new powers, the Parliamentary Assembly of the Council of Europe reported that the mass surveillance practices of countries - including the UK - pose a fundamental threat to human rights.

Theresa May has pledged that the Snooper’s Charter should be brought into law under a future Conservative administration. Labour are a little more equivocal so far; the Lib Dems have been against it, but are yet to say if this would be a ‘red line’ issue for them.

The correct place for this debate – given Theresa May’s pledge – is the election. Amazingly, she has currently pretty much guaranteed that surveillance will be an election issue. The parties can explain what they want to do, and why. We can learn how these proposals fit in with the clear need for reform and calls to repeal the Human Rights Act can be debated. We can assess candidates for their ability to understand the issues and think independently.

At the election, Labour, the original proponents of this measure, then known as the Interception Modernisation Programme, have an opportunity to clean up their record. Lib Dems can defend their record on this issue, despite voting for continued data retention. Perhaps the Conservatives can try to amend their calls, and if not, individual conservaives will hopefully set out their own views on surveillance.

From that perspective, the Lords rushing to put the Snooper’s Charter onto the statute book would be an attempt to deny the electorate a much needed debate about human rights and civil liberties. From another, it could be seen be a cynical ploy to cause the coalition and Labour pain as we enter the final weeks of Parliament, by forcing Labour and the Lib Dem front benches to vote against Conservative and other back benchers trying to see it into law. 

The Lords is an unelected revising and advisory chamber, which needs to be careful not to deny the electorate their say, and not to play party politics with an issue that impinges on everyone’s fundamental rights. 

[Read more]

January 20, 2015 | Richard King

Default censorship is wrong and unfair to Sky's customers

Web-filters should be opt-in only. It's fine to offer them but it's wrong to force them on people.

Sky Broadband have announced they will force web-filters on all customers, starting this week, unless the account-holder opts out. They say:

"When trying to visit a website deemed unsuitable for children under the age of 13 during the day, customers will see a page reminding them to make a choice about filtering. At this point, they can accept the current setting, change their protection levels or simply turn Sky Broadband Shield off.


"It's better for people to make their own choice, but until they do, we believe this process to be the safest one. Meanwhile we can ensure that they're protected from phishing, malware and sites unsuitable for young children."

This approach will increase harm for websites and web surfers, and there is still little evidence of the benefit to children, so why are they doing it?

All ISPs promised David Cameron they would make all customers choose whether to use filters or not. Sky is not offering a choice however - they are imposing filtering unless customers opt out - an approach that the government rejected after running their own consultation. In addition, most households do not contain children so, Sky's default-on approach seems over-reaching.

Could Sky Broadband be seeking to increase adoption of web filters through "nudge" tactics in order to avoid Government criticism for a lack of uptake? Public interest in activating filters has been low since the Government started pressuring ISPs to introduce them in summer 2013. Ofcom said in July 2014 that just 8% of Sky Broadband subscribers had switched them on. The same report showed a 34% adoption-rate for competitor TalkTalk, who promote filters aggressively, and have made them the default option for new subscribers for a long time. Nudge tactics rely on the principle that most people don't bother changing defaults.

If Sky's agenda were neutral, they would block all web-access for an account until the account-holder had stated their preference about filters: on or off. Instead they intend to block only those sites "deemed unsuitable for under 13s."

Many people have become accustomed to finding the occasional blocked site on our mobiles. That's because default-on blocking of adult content has been the norm there for many years (ORG reported on this in 2011). When you buy a mobile phone, your network assumes you are a child, and filters the web accordingly. Now landline ISPs are doing the same.

If people are inconvenienced by Sky Broadband filters only as much as they are on their mobiles, many won't bother to change the defaults, as it may feel like a lot of hassle if your surfing habits fall foul of overblocking infrequently. Meanwhile others might suffer disproportionately more overblocking depending on the information they seek. We suspect resources on sexual health and sexual orientation for instance are blocked in error more often than other types of site. If you are not the account holder, and you can't get to a site you need, your only recourse would be to discuss it with the person controlling the account. That could be a parent, partner, landlord, room-mate, fellow student, etc.

Sky Broadband may claim increased popularity for filters when in reality the figures would be inflated artificially. People who don't want or need them might be too apathetic, or too reluctant to be on a list of "people who requested the bad sites", to switch them off.

Sky Broadband are asking their customers to choose but they are not giving them the information they need to make an informed choice. Their explanations about filters mention none of their disadvantages or limitations. Far from being perfect, web filters block sites nobody could object to, while failing to block others that are unquestionably adult in nature. If Sky Broadband are confused about this they could consult the Department of Dirty for advice.

Filters are not a parenting panacea and do not substitute for responsible supervision of children online. At ORG we believe parents need help understanding the web, advice on how to talk to their children about online risks, and support to be able to supervise their children effectively. Some may choose filtering as part of their solution - but the rest of us shouldn't be forced to have it just in case.

We also need more transparency about how filters work, what they block, and means of redress for website owners when things go wrong. That's why we built our checking tool at - though we would prefer ISPs to take responsibility for this themselves.

[Read more]

January 15, 2015 | Ruth Coustick-Deal

Join today and vote for digital rights

Help ORG fight mass surveillance this election year.

Join ORG election campaign image

We don't protect our civil liberties by attacking them.

Last week our Prime Minister marched in Paris in the name of freedom of speech and civil liberties in the wake of the Charlie Hebdo attacks.

This week he seeks to chill that right by announcing that a Conservative government would try to make sure that security service have the ability to read any communications. This could mean giving GCHQ and police bodies the ability to break into encrypted messages, or having access to back doors.

He said: “In our country, do we want to allow a means of communication between people which... we cannot read?”

Our answer is yes.

Surveillance harms the free speech he claims to defend.

It makes us cautious about what we say. Any time you hesitate over a web search, or a phrase you were typing thinking 'how will this look to the spooks?', your speech is being changed and damaged.

It cannot be compulsory for us to record every conversation, online or offline.

And these plans to undermine encryption will have consequences for everyone's security; our private messages, banking and shopping will all be more vulnerable to criminal attacks.

We had some great achievements for digital rights, but 2014 was a scary time for privacy. The Government fought back against any criticism that the Snowden revelations swung their way and passed DRIPA, an Act that weakened our rights and dismissed a powerful court decision that mass data retention is illegal. Instead of acknowledging their mistakes, politicians are now talking about further chilling our free speech and privacy and introducing measures which attack the concept of human rights.

But we can change all that. That's why we're launching this join campaign.

Join ORG button
At the 2015 General Election we all have the power to influence the future. It's a moment of urgency, but also an opportunity to put the pressure on like never before to make the next Government protect our rights online.

The parties are making surveillance an issue which defines their values. As they launch their election campaigns, we need to launch ours soon and change the story.

If you join us we can keep running campaigns that make a difference!

Our target: 300 new supporters

ORG is one of the leading UK voices against mass surveillance. We've been speaking with politicians from all parties, discussing their security policies. Thanks to our campaigning the Liberal Democrats voted to put a Digital Bill of Rights in their manifesto. Together we stopped the Snoopers' Charter, and we will always be commited to protecting people from threats to their right to privacy.

There's so much more we can do before this election. With 300 new supporters we can:

  • Build a tool together which tells you where your local candidates stand on privacy and surveillance.
  • Run local hustings across Britain, together with other NGOs and charities to make sure you can ask your candidates tough questions on civil liberties.
  • Take part in a Don’t Spy on Us bus tour around the country to engage voters on surveillance.
  • Hold meetings with candidates to put digital rights in the minds of new MPs.
  • Create question cards and guides so that you feel confident talking to your candidates about these issues.

In this critical election year we need you more than ever, so that all our rights are defended here in the UK.

Can you make it your resolution to commit to £5/month to support our election campaigning?

Already a member?

Facebook buttonTwitter buttonEmail button Reddit button Tumblr Button G+ button LinkedIn Button

If you have a moment to spare, please ask your friends to share this page.

[Read more] (1 comments)

January 13, 2015 | Jim Killock

What does David Cameron want?

Is David Cameron really attacking the idea of encryption of our everyday communications? Is what he is suggesting even remotely possible?

On Monday, David Cameron declared war on encryption as the latest knee-jerk reaction to the atrocities committed in Paris against Charlie Hebdo journalists. He asked whether:

"we want to allow a means of communication between two people which even in extremis with a signed warrant from the home secretary personally that we cannot read? … My answer to that question is no, we must not. The first duty of any government is to keep our country and our people safe."

On the face of it, he is pushing to ensure that encryption is always reversible after a warrant signed by the Home Secretary. We know very little about exactly what Cameron believes he can propose in order to access encrypted material, or even how much material that is encrypted is truly inaccessible. Instead, his unclear and highly broad remarks have caused an unhelpful debate about whether, in principle, law enforcement and security services should 'always' be able to read communications.

Of course, that is impossible. You cannot 'always' be able to open, read, or find a record of a communication. Nor should it be compulsory for you and I to record every time time we talk to someone, online or offline. But we should take a moment to consider what Cameron might actually be proposing.

The security services and police can try to access the plaintext content and metadata of your communications from at least four places.

  1. On your device, where you store email or other communications, or on the device of the person that you talked to
  2. In transit, when data moves from your device to a service or person
  3. At your ISP, your metadata can be accessed, if they have recorded details of your communication
  4. At the Internet platform, such as Google or Facebook, if they store a copy of your communications

It won't always be true that a record will be kept at each or all of these points. The content may be encrypted by the end user at each point it is stored. The police or GCHQ might find it hard to decrypt information: Cameron appears to be demanding that it be made possible to decrypt any information at some point without the knowledge of the person who is under surveillance.

Encrypted information can always be accessed by use of the specific private keys and / or a passphrase (for instance a number or pattern you type into your phone to unlock it). It has been a criminal offence since 2007 to refuse to hand over keys or passphrases and numerous people have been convicted (albeit some convictions seem unsatisfactory because the accused had significant mental health issues).

Let's look at the different places data might be accessed in turn.


Both Apple and Android phones now encrypt their storage by default, so you can be a little less worried if you lose your phone, with perhaps photos, banking, contact and email information on it. These could be useful to criminals and you would be concerned if it was not encrypted and safe.

The same applies to computers. You and your workplace should be encrypting your hard drives in case your computer is stolen.

In transit:

We do know that the information in transit has been made more secure, so this will mean that intelligence and the police have to go to the companies more often, rather than simply harvest the data off the wire, as TEMPORA attempts to do (this is the GCHQ program which takes over 30% of UK-US Internet traffic for analysis at Bude, Cornwall).

Encryption for in-transit communications also protects you against mobile operators and ISPs trying to read your communications. It is vital when you transmit financial data in case criminals try to access it. However, we know that GCHQ and others go to some lengths to circumvent technologies that protect communications in transit. But it is important for people and businesses that communications are transmitted securely.

At your ISP:

Some records are kept at your ISP or by mobile providers. However, these are perhaps less relevant as we don't use ISPs as much to provide email, for instance. This is one reason why the government wants the Snoopers' Charter: they want richer records of your online communications that are stored and easily available within the UK.

At the Internet platform:

Most services store information in ways they can access, so they can make commercial use of it. This information can be retrieved, although with some companies, it may be necessary to go through the US courts.

With some communications platforms, the end user might encrypt the contents, which makes it inaccessible to the platform. This includes the body of an email, encrypted by PGP, or the content of Google chat, when a user uses "Off The Record" (OTR) software, which encrypts your messages when using certain chat platforms. Or you could store encrypted files at Dropbox: Dropbox can't read the document if you use your own encryption tools.

Some companies try to provide more private communications that they cannot read, so these may be the target of Cameron's complaint. Often the reason for private communications is business security, because of sensitive information (such as trade secrets, confidential deals or storing intellectual property) or a desire for personal privacy, prompted by oversharing on platforms like Facebook. It is hard to argue that these groups do not deserve privacy. It's really difficult to see how platforms can stop end users from encrypting their own content.

The magic bullet

It should be obvious that there are good reasons for encrypting information at most of the points that it is transmitted or stored. Cameron argues however that privacy is not an 'absolute' and the police should therefore 'always' be able to break the encryption.

Requiring companies to have back door access is problematic because not everyone uses a commercial service to encrypt their data – you could use PGP on email for instance. Companies cannot add back doors if users are running their own encryption tools.

He could ask that companies are responsible for storing private personal encryption keys. This is obviously a bad idea, as your security is automatically compromised. It is also unenforceable: why should anyone comply with such a requirement?

Another means of gaining access to encrypted material could be to require 'master keys' for encrypted material. This is called ‘key escrow’.

The problem with key escrow or the use of master keys is that they leave a particular encryption method with a secret backdoor, and give every criminal the certain knowledge that this backdoor exists. Criminals then know that they can find a way to break into encrypted material, given a certain amount of effort. Thus the barrier to breaking in becomes time and money, so is a question of the value of the material you want access to. A more general problem is that criminals simply don’t have to use encryption which is compromised by escrow, leaving law abiding citizens with the risks, while criminals simply use safer but perhaps illegal technologies. The use of escrow is again unenforceable.

Cameron may be angling for more pragmatic measures, such as dissuading commercial platforms from storing encrypted material, or legal compulsions to find ways to compromise someone's security in certain circumstances. He could seek to mandate weak keys or weak encryption. Perhaps he wishes to target VPNs to require logging, to ban Tor exit nodes, or systems that are designed to prevent the provider from recording communications.

Measures like these are likely to be undesirable as well: but we need to know what exactly he believes is a problem, rather than hearing bland generalisations which inevitably sound incredibly dangerous to people's everyday security. Only then can we assess how bad an idea it is, although it should be clear that anything which compromises security is likely to adversely affect somebody with legitimate reasons to value their information.

If we find that Cameron is seeking to limit people's access to safe and truly effective encryption technologies, then he will find a great deal of resistance. People can write their own encryption software, and run it themselves: this is hard to stop. Companies supply many markets, and may be unwilling to sacrifice technologies that make their products effective. The prospect of lowering privacy and security across the globe, and increasing the surveillance powers of states that have less regard for human rights may begin to look distasteful. But first Cameron needs to explain what he really means.

[Read more] (2 comments)

January 13, 2015 | Pam Cowburn

Letters from ORG's Advisory Council members: Mass surveillance is not needed

The following letters by ORG Advisory Council members Paul Bernal and Simon Phipps were published in the Evening Standard on 12 January.

Paul Bernal, lecturer at UEA Law School: 

It is not just libertarians who are dismayed by the growing calls for the return of the Snooper’s Charter in response to events in Paris, but anyone who has studied the reality of recent terrorist atrocities and the role of intelligence and surveillance.

The Charlie Hebdo shooters — just like the murderers of Lee Rigby and the Boston bombing suspects — were known to the authorities, and had been for years, linked with known groups.

Indeed, it seems the French authorities had stopped watching them because of a lack of resources. To devote more of our limited resources to forms of mass surveillance that are ineffective and have significantly damaging side effects in terms of liberty, rather than towards targeted intelligence, is not just counter-intuitive but likely to be directly counter-productive. Do not let our understandable fear and horror as a result of a hideous attack allow ourselves to be led down this path.

Paul tweets at 

Simon Phipps, open source and digital rights consultant:

I watch with alarm as, in the wake of the barbaric murders in France, politicians seek increased surveillance powers for the security services.

Surveillance is not always wrong; far from it, our democracy has long allowed accountable public servants to temporarily intrude on individuals they believe to be a threat.

My alarm arises for two reasons: first, the powers requested in recent attempts at new law are open-ended and ill-defined. They lack meaningful oversight, transparency or accountability. They appear designed to permit the security services free rein in making their own rules and retrospectively justifying their actions.

Second, the breadth of data gathered, far beyond the pursuit of individuals, creates a risk of future abuse, by both (inevitable) bad actors and people responding to future moral panic. Today’s justifications – where offered – make no accommodation for these risks.

Voters should listen respectfully but critically to the security services’ requests. Our representatives must ensure that each abridgement of our liberties is ring-fenced, justified objectively using public data, governed with impartial oversight and guarded by a sunset clause for both the powers and all its data by-products.

If the defence of free speech fatally erodes other liberties we are all diminished.

Simon tweets at @webmink

These letters were originally published in the London Evening Standard.

[Read more]

January 09, 2015 | Pam Cowburn

The response to the Charlie Hebdo murders is not more untargeted surveillance

It is still too early to say what could and couldn't have been done to prevent the murder of 12 people at the offices of Charlie Hebdo magazine in Paris on Wednesday

We know that the Hebdo offices were already a target, having been firebombed in 2011, over the publication of a caricature of the prophet Mohammed. We know that the suspects Cherif and Said Kouachi were already known to the security services. We know that France, like the UK has powers to surveill its citizens and, unlike the UK, also has ID cards and an armed police force. But none of this prevented the murder of those 12 people. Despite this, the Head of MI5, Andrew Parker, has indicated that our security services need more powers to prevent similar attacks occuring in the UK.

Not only were the Hebdo murders a horrifying and brutal act, they were also an attack on freedom of speech. The public and private responses of sadness, anger and solidarity, have rightly included calls to defy the terrorists by protecting the very rights and freedoms, that they have attacked.

In the aftermath of such a horrific attack, it may be tempting to see government demands for more powers as the lesser of two evils. As the writer Dan Hodges put it, 'If one way of stopping obscenities like today is providing the security services a bit more access to our e-mails, we must give it to them.'

But as noted above, France's already extensive surveillance powers were not enough to prevent these attacks. While it may be tempting to acquiese to government demands, we don't protect our civil liberties by limiting them further. Mass surveillance treats us all as suspects, reverses the presumption of innocence and has a chilling effect on free speech.

Since Edward Snowden brought our attention to the blanket surveillance of our communications by the security services, there have been repeated calls for powers to scrutinise our personal communications. In the wake of public concern over privacy, the Director of GCHQ, Robert Hannigan took the unprecedented step of speaking publicly about surveillance last November, when he called for more co-operation from tech companies in the fight against terrorism.

Andrew Parker has said that GCHQ's powers are 'patchy' and implies that new legislative powers are needed. ORG has long argued that both RIPA and DRIPA need to be repealed and replaced with a clear legal framework. We do not dispute that surveillance is needed to tackle terrorism and other serious crimes. But in a democracy, surveillance must be targeted, limited and authorised by the courts, if our liberties are to be upheld. The police and security services cannot and should not know everything at all times in a liberal democracy. As the editor of Charlie Hebdo, Stéphane Charbonnier said, 'I prefer to die standing than living on my knees'.

Similarly, the UK cannot claim to defend free speech when surveillance legislation is being used to access the communications of journalists or close down the speech of 'non-violent extremists.

As I write this, two sieges related to the Hebdo murders are taking place in France. It is reported that hostages have been taken and more people may be dead. This is not the time for a kneejerk reaction that will undermine our rights to privacy and free speech. We (still) need the frank public debate about surveillance that has been denied us since the Snowden revelations began. We need to talk about how we deal with hate speech without limiting free speech. And most of all, we need to talk about how we promote a tolerant and open society that integrates the marginalised people that terrorism aims to radicalise.

[Read more] (1 comments)

December 19, 2014 | Elizabeth Knight

ORG signs amicus brief in Microsoft case

This week ORG signed up to an amicus curiae brief prepared by lawyers for Digital Rights Ireland in the ‘Microsoft warrant case’.

In the case, US law enforcement agencies are seeking to access data in an email account held on a server in Ireland. The US government has attempted to use a search warrant to access the data, rather than using the Mutual Legal Assistance Treaties (MLATs) agreed between the US and the EU and the US and Ireland. A US court has granted the warrant to search and seize the data, but Microsoft is fighting it.

In the US, an amicus curiae is a "friend of the court" who is not a party to a lawsuit, but has an interest in the matter. In total 10 amicus briefs were filed in support of Microsoft's position, representing 28 leading technology and media companies, 35 leading computer scientists, and 23 trade associations and advocacy organizations.

ORG believes the US government must respect European citizens’ rights to privacy and the protection of personal data. There is an established route for requests for data by law enforcement agencies, which is the use of MLATs. By signing an amicus brief in support of Microsoft’s position ORG is emphasizing that requests for personal data must be made in compliance with national laws and international treaties.

The amicus brief can be found here. It was prepared by lawyers at McGarr solicitors in Dublin, with White & Case acting pro bono in the US.

[Read more] (1 comments)

December 18, 2014 | Ruth Coustick-Deal

10 Brilliant Moments

2014 has been an amazing year for Open Rights Group. Thanks to our supporters we've had some big wins, and really grown as a movement.

This year we saw thousands of people take part in our campaigns to defend our rights online.

I’d like to share 10 Awesome ORG Moments that you helped make happen in 2014:

Blocked probes

1. The Blocked project was launched and we found out that filters were stopping Chaos Communications Congress from selling event tickets, Maureen from sharing a women’s rights blog and even Open Rights Group from providing a tool to find out about blocking!

Captain America pro-filtering advert

2. The Department of Dirty video made everyone laugh. Some people even tried to complain to the Government about this new department, showing the power of effective satire. 

3. Parody is something that can be used even more now that we’ve won it as a right in UK law! After years of campaigning with you on this issue, we can also have private copying and other sensible exceptions: a huge set of wins for our copyright work.

4. We were the voice of resistence on DRIP, appearing on every news channel from Sky to the BBC when the Government rewrote the idea of emergency by waiting three months to pass emergency legislation, and then doing it all in a week.

5. ORGCon was huge, completely selling out both days at the UK’s only digital rights conference. We had really positive feedback and enjoyed hearing lots of new voices, and getting to know you.

Nothing to Hide, Nothing to fear panel

6. We hired our first legal director and she’s been amazing! Elizabeth’s helped us do exciting new things like take part in several legal interventions, including a judicial review of DRIP.

7.  Thanks to our new legal work and persistent campaigning in challenging the secrecy of website bans, blocking orders are now more transparent.  So far, BT, Sky and Virgin are all providing more information about the blocks.

8. We worked with a huge range of organisations this year, forming coalitions and partnerships with World Development Movement, Liberty, Amnesty and EFF on issues from TTIP to surveillance, making our collective campaigns all the stronger.

9. The Don’t Spy on Us coalition was launched and working as a group has helped us spread the message about mass surveillance. With 15 organisations signed on, over 500 MPs received at least one email about Don’t Spy on Us.

10. Thanks to hiring PamElizabeth and Richard and our brilliant team, we had great press coverage all year round and have been able to get our message out to a wider audience.

It's been a brilliant year and we couldn't have done it without our supporters, people like you taking action and spreading the word.

The challenges just keep coming though. As we look to 2015, and the general election coming up we have to keep fighting to ensure that everyone’s rights are defended and promoted.

Can you join us by giving just £5 a month to make 2015 a better year for our rights?

We hope you have a wonderful Christmas and New Year!

With many thanks from,

Ruth and all the team at Open Rights Group

[Read more]