January 15, 2015 | Ruth Coustick-Deal

Join today and vote for digital rights

Help ORG fight mass surveillance this election year.

Join ORG election campaign image

We don't protect our civil liberties by attacking them.

Last week our Prime Minister marched in Paris in the name of freedom of speech and civil liberties in the wake of the Charlie Hebdo attacks.

This week he seeks to chill that right by announcing that a Conservative government would try to make sure that security service have the ability to read any communications. This could mean giving GCHQ and police bodies the ability to break into encrypted messages, or having access to back doors.

He said: “In our country, do we want to allow a means of communication between people which... we cannot read?”

Our answer is yes.

Surveillance harms the free speech he claims to defend.

It makes us cautious about what we say. Any time you hesitate over a web search, or a phrase you were typing thinking 'how will this look to the spooks?', your speech is being changed and damaged.

It cannot be compulsory for us to record every conversation, online or offline.

And these plans to undermine encryption will have consequences for everyone's security; our private messages, banking and shopping will all be more vulnerable to criminal attacks.

We had some great achievements for digital rights, but 2014 was a scary time for privacy. The Government fought back against any criticism that the Snowden revelations swung their way and passed DRIPA, an Act that weakened our rights and dismissed a powerful court decision that mass data retention is illegal. Instead of acknowledging their mistakes, politicians are now talking about further chilling our free speech and privacy and introducing measures which attack the concept of human rights.

But we can change all that. That's why we're launching this join campaign.

Join ORG button
At the 2015 General Election we all have the power to influence the future. It's a moment of urgency, but also an opportunity to put the pressure on like never before to make the next Government protect our rights online.

The parties are making surveillance an issue which defines their values. As they launch their election campaigns, we need to launch ours soon and change the story.

If you join us we can keep running campaigns that make a difference!

Our target: 300 new supporters

ORG is one of the leading UK voices against mass surveillance. We've been speaking with politicians from all parties, discussing their security policies. Thanks to our campaigning the Liberal Democrats voted to put a Digital Bill of Rights in their manifesto. Together we stopped the Snoopers' Charter, and we will always be commited to protecting people from threats to their right to privacy.

There's so much more we can do before this election. With 300 new supporters we can:

  • Build a tool together which tells you where your local candidates stand on privacy and surveillance.
  • Run local hustings across Britain, together with other NGOs and charities to make sure you can ask your candidates tough questions on civil liberties.
  • Take part in a Don’t Spy on Us bus tour around the country to engage voters on surveillance.
  • Hold meetings with candidates to put digital rights in the minds of new MPs.
  • Create question cards and guides so that you feel confident talking to your candidates about these issues.

In this critical election year we need you more than ever, so that all our rights are defended here in the UK.

Can you make it your resolution to commit to £5/month to support our election campaigning?

Already a member?

Facebook buttonTwitter buttonEmail button Reddit button Tumblr Button G+ button LinkedIn Button

If you have a moment to spare, please ask your friends to share this page.

[Read more] (1 comments)

January 13, 2015 | Jim Killock

What does David Cameron want?

Is David Cameron really attacking the idea of encryption of our everyday communications? Is what he is suggesting even remotely possible?

On Monday, David Cameron declared war on encryption as the latest knee-jerk reaction to the atrocities committed in Paris against Charlie Hebdo journalists. He asked whether:

"we want to allow a means of communication between two people which even in extremis with a signed warrant from the home secretary personally that we cannot read? … My answer to that question is no, we must not. The first duty of any government is to keep our country and our people safe."

On the face of it, he is pushing to ensure that encryption is always reversible after a warrant signed by the Home Secretary. We know very little about exactly what Cameron believes he can propose in order to access encrypted material, or even how much material that is encrypted is truly inaccessible. Instead, his unclear and highly broad remarks have caused an unhelpful debate about whether, in principle, law enforcement and security services should 'always' be able to read communications.

Of course, that is impossible. You cannot 'always' be able to open, read, or find a record of a communication. Nor should it be compulsory for you and I to record every time time we talk to someone, online or offline. But we should take a moment to consider what Cameron might actually be proposing.

The security services and police can try to access the plaintext content and metadata of your communications from at least four places.

  1. On your device, where you store email or other communications, or on the device of the person that you talked to
  2. In transit, when data moves from your device to a service or person
  3. At your ISP, your metadata can be accessed, if they have recorded details of your communication
  4. At the Internet platform, such as Google or Facebook, if they store a copy of your communications

It won't always be true that a record will be kept at each or all of these points. The content may be encrypted by the end user at each point it is stored. The police or GCHQ might find it hard to decrypt information: Cameron appears to be demanding that it be made possible to decrypt any information at some point without the knowledge of the person who is under surveillance.

Encrypted information can always be accessed by use of the specific private keys and / or a passphrase (for instance a number or pattern you type into your phone to unlock it). It has been a criminal offence since 2007 to refuse to hand over keys or passphrases and numerous people have been convicted (albeit some convictions seem unsatisfactory because the accused had significant mental health issues).

Let's look at the different places data might be accessed in turn.


Both Apple and Android phones now encrypt their storage by default, so you can be a little less worried if you lose your phone, with perhaps photos, banking, contact and email information on it. These could be useful to criminals and you would be concerned if it was not encrypted and safe.

The same applies to computers. You and your workplace should be encrypting your hard drives in case your computer is stolen.

In transit:

We do know that the information in transit has been made more secure, so this will mean that intelligence and the police have to go to the companies more often, rather than simply harvest the data off the wire, as TEMPORA attempts to do (this is the GCHQ program which takes over 30% of UK-US Internet traffic for analysis at Bude, Cornwall).

Encryption for in-transit communications also protects you against mobile operators and ISPs trying to read your communications. It is vital when you transmit financial data in case criminals try to access it. However, we know that GCHQ and others go to some lengths to circumvent technologies that protect communications in transit. But it is important for people and businesses that communications are transmitted securely.

At your ISP:

Some records are kept at your ISP or by mobile providers. However, these are perhaps less relevant as we don't use ISPs as much to provide email, for instance. This is one reason why the government wants the Snoopers' Charter: they want richer records of your online communications that are stored and easily available within the UK.

At the Internet platform:

Most services store information in ways they can access, so they can make commercial use of it. This information can be retrieved, although with some companies, it may be necessary to go through the US courts.

With some communications platforms, the end user might encrypt the contents, which makes it inaccessible to the platform. This includes the body of an email, encrypted by PGP, or the content of Google chat, when a user uses "Off The Record" (OTR) software, which encrypts your messages when using certain chat platforms. Or you could store encrypted files at Dropbox: Dropbox can't read the document if you use your own encryption tools.

Some companies try to provide more private communications that they cannot read, so these may be the target of Cameron's complaint. Often the reason for private communications is business security, because of sensitive information (such as trade secrets, confidential deals or storing intellectual property) or a desire for personal privacy, prompted by oversharing on platforms like Facebook. It is hard to argue that these groups do not deserve privacy. It's really difficult to see how platforms can stop end users from encrypting their own content.

The magic bullet

It should be obvious that there are good reasons for encrypting information at most of the points that it is transmitted or stored. Cameron argues however that privacy is not an 'absolute' and the police should therefore 'always' be able to break the encryption.

Requiring companies to have back door access is problematic because not everyone uses a commercial service to encrypt their data – you could use PGP on email for instance. Companies cannot add back doors if users are running their own encryption tools.

He could ask that companies are responsible for storing private personal encryption keys. This is obviously a bad idea, as your security is automatically compromised. It is also unenforceable: why should anyone comply with such a requirement?

Another means of gaining access to encrypted material could be to require 'master keys' for encrypted material. This is called ‘key escrow’.

The problem with key escrow or the use of master keys is that they leave a particular encryption method with a secret backdoor, and give every criminal the certain knowledge that this backdoor exists. Criminals then know that they can find a way to break into encrypted material, given a certain amount of effort. Thus the barrier to breaking in becomes time and money, so is a question of the value of the material you want access to. A more general problem is that criminals simply don’t have to use encryption which is compromised by escrow, leaving law abiding citizens with the risks, while criminals simply use safer but perhaps illegal technologies. The use of escrow is again unenforceable.

Cameron may be angling for more pragmatic measures, such as dissuading commercial platforms from storing encrypted material, or legal compulsions to find ways to compromise someone's security in certain circumstances. He could seek to mandate weak keys or weak encryption. Perhaps he wishes to target VPNs to require logging, to ban Tor exit nodes, or systems that are designed to prevent the provider from recording communications.

Measures like these are likely to be undesirable as well: but we need to know what exactly he believes is a problem, rather than hearing bland generalisations which inevitably sound incredibly dangerous to people's everyday security. Only then can we assess how bad an idea it is, although it should be clear that anything which compromises security is likely to adversely affect somebody with legitimate reasons to value their information.

If we find that Cameron is seeking to limit people's access to safe and truly effective encryption technologies, then he will find a great deal of resistance. People can write their own encryption software, and run it themselves: this is hard to stop. Companies supply many markets, and may be unwilling to sacrifice technologies that make their products effective. The prospect of lowering privacy and security across the globe, and increasing the surveillance powers of states that have less regard for human rights may begin to look distasteful. But first Cameron needs to explain what he really means.

[Read more] (2 comments)

January 13, 2015 | Pam Cowburn

Letters from ORG's Advisory Council members: Mass surveillance is not needed

The following letters by ORG Advisory Council members Paul Bernal and Simon Phipps were published in the Evening Standard on 12 January.

Paul Bernal, lecturer at UEA Law School: 

It is not just libertarians who are dismayed by the growing calls for the return of the Snooper’s Charter in response to events in Paris, but anyone who has studied the reality of recent terrorist atrocities and the role of intelligence and surveillance.

The Charlie Hebdo shooters — just like the murderers of Lee Rigby and the Boston bombing suspects — were known to the authorities, and had been for years, linked with known groups.

Indeed, it seems the French authorities had stopped watching them because of a lack of resources. To devote more of our limited resources to forms of mass surveillance that are ineffective and have significantly damaging side effects in terms of liberty, rather than towards targeted intelligence, is not just counter-intuitive but likely to be directly counter-productive. Do not let our understandable fear and horror as a result of a hideous attack allow ourselves to be led down this path.

Paul tweets at 

Simon Phipps, open source and digital rights consultant:

I watch with alarm as, in the wake of the barbaric murders in France, politicians seek increased surveillance powers for the security services.

Surveillance is not always wrong; far from it, our democracy has long allowed accountable public servants to temporarily intrude on individuals they believe to be a threat.

My alarm arises for two reasons: first, the powers requested in recent attempts at new law are open-ended and ill-defined. They lack meaningful oversight, transparency or accountability. They appear designed to permit the security services free rein in making their own rules and retrospectively justifying their actions.

Second, the breadth of data gathered, far beyond the pursuit of individuals, creates a risk of future abuse, by both (inevitable) bad actors and people responding to future moral panic. Today’s justifications – where offered – make no accommodation for these risks.

Voters should listen respectfully but critically to the security services’ requests. Our representatives must ensure that each abridgement of our liberties is ring-fenced, justified objectively using public data, governed with impartial oversight and guarded by a sunset clause for both the powers and all its data by-products.

If the defence of free speech fatally erodes other liberties we are all diminished.

Simon tweets at @webmink

These letters were originally published in the London Evening Standard.

[Read more]

January 09, 2015 | Pam Cowburn

The response to the Charlie Hebdo murders is not more untargeted surveillance

It is still too early to say what could and couldn't have been done to prevent the murder of 12 people at the offices of Charlie Hebdo magazine in Paris on Wednesday

We know that the Hebdo offices were already a target, having been firebombed in 2011, over the publication of a caricature of the prophet Mohammed. We know that the suspects Cherif and Said Kouachi were already known to the security services. We know that France, like the UK has powers to surveill its citizens and, unlike the UK, also has ID cards and an armed police force. But none of this prevented the murder of those 12 people. Despite this, the Head of MI5, Andrew Parker, has indicated that our security services need more powers to prevent similar attacks occuring in the UK.

Not only were the Hebdo murders a horrifying and brutal act, they were also an attack on freedom of speech. The public and private responses of sadness, anger and solidarity, have rightly included calls to defy the terrorists by protecting the very rights and freedoms, that they have attacked.

In the aftermath of such a horrific attack, it may be tempting to see government demands for more powers as the lesser of two evils. As the writer Dan Hodges put it, 'If one way of stopping obscenities like today is providing the security services a bit more access to our e-mails, we must give it to them.'

But as noted above, France's already extensive surveillance powers were not enough to prevent these attacks. While it may be tempting to acquiese to government demands, we don't protect our civil liberties by limiting them further. Mass surveillance treats us all as suspects, reverses the presumption of innocence and has a chilling effect on free speech.

Since Edward Snowden brought our attention to the blanket surveillance of our communications by the security services, there have been repeated calls for powers to scrutinise our personal communications. In the wake of public concern over privacy, the Director of GCHQ, Robert Hannigan took the unprecedented step of speaking publicly about surveillance last November, when he called for more co-operation from tech companies in the fight against terrorism.

Andrew Parker has said that GCHQ's powers are 'patchy' and implies that new legislative powers are needed. ORG has long argued that both RIPA and DRIPA need to be repealed and replaced with a clear legal framework. We do not dispute that surveillance is needed to tackle terrorism and other serious crimes. But in a democracy, surveillance must be targeted, limited and authorised by the courts, if our liberties are to be upheld. The police and security services cannot and should not know everything at all times in a liberal democracy. As the editor of Charlie Hebdo, Stéphane Charbonnier said, 'I prefer to die standing than living on my knees'.

Similarly, the UK cannot claim to defend free speech when surveillance legislation is being used to access the communications of journalists or close down the speech of 'non-violent extremists.

As I write this, two sieges related to the Hebdo murders are taking place in France. It is reported that hostages have been taken and more people may be dead. This is not the time for a kneejerk reaction that will undermine our rights to privacy and free speech. We (still) need the frank public debate about surveillance that has been denied us since the Snowden revelations began. We need to talk about how we deal with hate speech without limiting free speech. And most of all, we need to talk about how we promote a tolerant and open society that integrates the marginalised people that terrorism aims to radicalise.

[Read more] (1 comments)

December 19, 2014 | Elizabeth Knight

ORG signs amicus brief in Microsoft case

This week ORG signed up to an amicus curiae brief prepared by lawyers for Digital Rights Ireland in the ‘Microsoft warrant case’.

In the case, US law enforcement agencies are seeking to access data in an email account held on a server in Ireland. The US government has attempted to use a search warrant to access the data, rather than using the Mutual Legal Assistance Treaties (MLATs) agreed between the US and the EU and the US and Ireland. A US court has granted the warrant to search and seize the data, but Microsoft is fighting it.

In the US, an amicus curiae is a "friend of the court" who is not a party to a lawsuit, but has an interest in the matter. In total 10 amicus briefs were filed in support of Microsoft's position, representing 28 leading technology and media companies, 35 leading computer scientists, and 23 trade associations and advocacy organizations.

ORG believes the US government must respect European citizens’ rights to privacy and the protection of personal data. There is an established route for requests for data by law enforcement agencies, which is the use of MLATs. By signing an amicus brief in support of Microsoft’s position ORG is emphasizing that requests for personal data must be made in compliance with national laws and international treaties.

The amicus brief can be found here. It was prepared by lawyers at McGarr solicitors in Dublin, with White & Case acting pro bono in the US.

[Read more] (1 comments)

December 18, 2014 | Ruth Coustick-Deal

10 Brilliant Moments

2014 has been an amazing year for Open Rights Group. Thanks to our supporters we've had some big wins, and really grown as a movement.

This year we saw thousands of people take part in our campaigns to defend our rights online.

I’d like to share 10 Awesome ORG Moments that you helped make happen in 2014:

Blocked probes

1. The Blocked project was launched and we found out that filters were stopping Chaos Communications Congress from selling event tickets, Maureen from sharing a women’s rights blog and even Open Rights Group from providing a tool to find out about blocking!

Captain America pro-filtering advert

2. The Department of Dirty video made everyone laugh. Some people even tried to complain to the Government about this new department, showing the power of effective satire. 

3. Parody is something that can be used even more now that we’ve won it as a right in UK law! After years of campaigning with you on this issue, we can also have private copying and other sensible exceptions: a huge set of wins for our copyright work.

4. We were the voice of resistence on DRIP, appearing on every news channel from Sky to the BBC when the Government rewrote the idea of emergency by waiting three months to pass emergency legislation, and then doing it all in a week.

5. ORGCon was huge, completely selling out both days at the UK’s only digital rights conference. We had really positive feedback and enjoyed hearing lots of new voices, and getting to know you.

Nothing to Hide, Nothing to fear panel

6. We hired our first legal director and she’s been amazing! Elizabeth’s helped us do exciting new things like take part in several legal interventions, including a judicial review of DRIP.

7.  Thanks to our new legal work and persistent campaigning in challenging the secrecy of website bans, blocking orders are now more transparent.  So far, BT, Sky and Virgin are all providing more information about the blocks.

8. We worked with a huge range of organisations this year, forming coalitions and partnerships with World Development Movement, Liberty, Amnesty and EFF on issues from TTIP to surveillance, making our collective campaigns all the stronger.

9. The Don’t Spy on Us coalition was launched and working as a group has helped us spread the message about mass surveillance. With 15 organisations signed on, over 500 MPs received at least one email about Don’t Spy on Us.

10. Thanks to hiring PamElizabeth and Richard and our brilliant team, we had great press coverage all year round and have been able to get our message out to a wider audience.

It's been a brilliant year and we couldn't have done it without our supporters, people like you taking action and spreading the word.

The challenges just keep coming though. As we look to 2015, and the general election coming up we have to keep fighting to ensure that everyone’s rights are defended and promoted.

Can you join us by giving just £5 a month to make 2015 a better year for our rights?

We hope you have a wonderful Christmas and New Year!

With many thanks from,

Ruth and all the team at Open Rights Group

[Read more]

December 08, 2014 | Lydia Snodin

ORGCon Day 2 - Learning How To Campaign

What happened on the second day of our annual conference? Read about our activism and training day.

The second day of our annual conference was a series of interactive training sessions to share information on how to campaign, plus an all-day hack space. If you missed it, read our blog about the first day.

What happened at ORGCon Day 2?

ORG has a fantastic community of supporters, who are genuinely involved in our work. This helps us to be more effective in our campaigns and stay focused on the people whose rights we are protecting. The aim of Day 2 was to bring our members and supporters together and talk about how they can get more directly involved with our campaigns.

We opened with two inspirational and informative stories of successful campaigns. Johnny Chatterton, co-founder of Campaign Bootcamp, talked about community-based activism changing national policies in the Save Our Forests campaign with 38 Degrees. Their actions helped stop the government sell-off the UK’s forests. Read more about how that happened.

Then Mike Harris, Campaign Director for Don't Spy On Us, described how the Libel Reform campaign led towards the passing of the Defamation Act in 2013, which helps protect authors and bloggers from being sued for libel. Read more about it. It was interesting to hear about the big setbacks that they both overcame – especially given some of the big challenges we face at the minute.

After this we moved on to a series of interactive training sessions: running a campaign group in your area, talking to your MPs and MEPs and securing media coverage. Our session on running a Local Group was particularly successful.

Local groups are our campaign groups across the UK. ORG members and supporters set them up, run them and organise events around digital rights topics with support from our Local Groups Co-ordinator. Digital rights affect people beyond London and Westminster and we are really committed to making sure that we are a grassroots organisation for everyone in the UK. In the session, we talked about how we can help our members organise activities that reflect that.

ORG will be organising a series of public debates with candidates from every political party across the UK and need your help to hold one where you live. We discussed the opportunities in different regions to make mass surveillance an issue politicians care about in the run-up to the general election, through helping organise these and making them a success. 

In the afternoon we held sessions to generate ideas for three of our campaigns: copyright reform, TTIP and mass surveillance. It was highlighted in the 'Don’t Spy On Us’ session that we should aim to get manifesto promises from candidates and MPs on surveillance issues. Learn more about DSOU.


Throughout the day we had a room set aside for all those interested in building technical tools and projects together (the 'hackspace'). They came up with all sorts of interesting projects which you can still get involved in if you like to code for a hobby. So what did they do?

  • Made a start on some Firefox and Chrome extensions for the Blocked project, allowing people to find out which networks a site they are visiting is blocked on. The code for Firefox and Chrome is available on Github.   
  • Started on a program which parses your public utterances and then tries to frame them in an embarrassing and damning fashion, thus demonstrating that algorithmic content-searching can harm you even if you have nothing to hide!
    "Give me six tweets by the most virtuous person and we will find within them something with which to hang them..."

How can you campaign with us?

Even if you didn't come to ORGCon Day 2, you can still support our campaigns in a number of ways. Please consider becoming a member.

You can also join or start your own local group where you can meet other ORG supporters who care about digital rights. Find out more about this, as well as other ways to get involved.

Read about ORGCon Day 1 and catch up on everything else that happened here.

[Read more] (2 comments)

December 05, 2014 | Elizabeth Knight

Court ruling paves the way for European Court of Human Rights to consider “Privacy not PRISM” case

The Investigatory Powers Tribunal (IPT) gave its judgment today in a major surveillance case brought by Privacy International, Liberty and Amnesty International. Disappointingly, the IPT ruled against the NGOs and accepted the security services’ position that they may in principle carry out mass surveillance of all fibre optic cables entering or leaving the UK and that vast intelligence sharing with the NSA does not contravene the right to privacy because of the existence of secret policies.

The decision should enable the European Court of Human Rights (ECtHR) to proceed with hearing the “Privacy not PRISM” case brought by ORG and others. It also means that Privacy International, Liberty and Amnesty International may join us in the ECtHR.

The NGOs challenged the government’s surveillance practices on the grounds that it breached our rights to privacy and freedom of expression. Read Privacy International’s summary of the judgment here.

It is a disappointing decision, but not a surprising one. ORG and the other human rights groups have long argued that the IPT is unable to provide an adequate remedy. It is able to hold secret hearings (as part of the hearing in this case was) without telling the claimant what happened at those hearings. There is no right of appeal from a decision of the IPT. In this case the government refused to divert from its “neither confirm nor deny” policy regarding the existence of its surveillance programmes, which meant the case had to consider hypotheticals.

ORG, Big Brother Watch, English PEN, Article 19 and Constanze Kurz have a case in the ECtHR that challenges the government’s surveillance practices on very similar grounds. Our “Privacy not PRISM” case questions the human rights compliance of GCHQ’s TEMPORA programme, carried out under s.8(4) Regulation of Investigatory Powers Act (RIPA) and the use of information obtained from the NSA’s PRISM programme. The case has been given a priority status by the ECtHR but is currently on hold pending today’s decision by the IPT.

The IPT case has forced the government to disclose previously secret polices, reveal its overly broad definition of “external communications” and admit that it can obtain communications from the NSA without a warrant. These disclosures will assist all of the rights groups' arguments in the ECtHR.

The decision means that the adjournment of our case is likely to be lifted soon. How soon this happens will depend on whether the claimants in the IPT decide to apply to the ECtHR and whether the court allows them to join our case. Privacy International has already indicated that it intends to complain to the ECtHR.

We await the decision of the ECtHR as to when it will re-start our case and begin its scrutiny of the government’s surveillance practices. All parties will now look to the ECtHR to defend our human rights where the IPT has failed to do so.

[Read more]

: E-voting's Unsolvable Problem-->
  • ORG Glasgow: A discussion of the General Data Protection Regulation (GDPR)
  • ORG Aberdeen: March Cryptonoise event
  • ORG North East: Take control of your online life
  • ORG Cambridge: Monthly March Meetup