November 11, 2014 | Javier Ruiz

ORG and Privacy International publish guidance on privacy and open government

Digital rights organisations provide guidance to governments on positive steps around privacy and data protection to be considered in open government programmes.

Open Rights Group and Privacy International have worked with the Transparency and Accountability Initiative to develop a new chapter on Privacy and Data Protection in the Open Government Guide, which will be officially launched at Open Up on November 12th.

The new chapter provides a menu of commitments that governments could adopt in their next OGP Action Plans, each supported by standards and country examples. The ‘illustrative commitments’ are not prescriptive, but ideas that governments can adapt to local circumstances in order to enhance existing protections.

Open Rights Group has long advocated for privacy to be addressed in this context as one of the thorny issues that will make or break the credibility of open government.

However, it is important to avoid the trap of false choices. Privacy and data protection tend to be placed against openness and security. But as ORG's advisory council member Tim Davies put it in a recent blog, this is the wrong approach. Privacy is the basis of both openness and security.

Open government promotes a fully engaged citizenry enabled by technology to participate in the decisions concerning their lives. But this can only lead to a more sophisticated understanding of data, including privacy, surveillance and security.

Our colleagues at the Open Government Partnership Paul Maasen and Su Muhereza have established that privacy is not yet at the heart of national plans for open government.

This situation cannot last much longer. Technology companies are changing their systems to cope with the new demands for privacy and control over information. For example, Apple and Google are starting to encrypt phones by default. Governments committed to openness will have to demonstrate they take privacy seriously. The new privacy chapter in the Open Government guide is a good place to start.

The recommended steps we propose in the guide are clustered around four key areas:

Steps to secure the basic foundations for privacy. This includes both positive legislation on data protection and repealing requirements which prevent anonymity by phone and internet users.

Measures to empower individuals to stay safe and protect personal their own information. This might include public education as well as innovations to give citizens control of the personal information held by institutions such as banks and telephone companies.

Specific protections related to security and intelligence services. Commitments here start with publishing clear and transparent laws on intelligence gathering powers, and go onto publishing annual reports about surveillance and interception of communications.

Steps to integrate privacy into the design of open government programmes. This starts with considering privacy early in the conception stage, establishing processes for assessing how personally identifiable information is collected, used, shared, and maintained and incorporating ‘privacy by design’ principles.

You can read the chapter here.

[Read more] (1 comments)

November 06, 2014 | Ed Johnson-Williams

GCHQ are plunging into the privacy debate.

Writing in Tuesday's Financial Times, the new director of GCHQ Robert Hannigan, called for "greater co-operation from technology companies" to stop terrorists and criminals groups using online services as their "command-and-control networks of choice".

His words completely ignored the Snowden revelations that showed the immense surveillance powers and access to our data that GCHQ has. Instead of talking about GCHQ's apparent habit of collecting the entire British population's data rather than targeting their activities at criminals, he thought he would try to frame the debate as about GCHQ needing more help from technology companies.

David Cameron has come out in support of Hannigan's comments. Hannigan's statement is the latest in a concerted campaign by the Government and the intelligence agencies to bolster support for their surveillance powers.

Even Nick Clegg, the leader of the Liberal Democrats - who traditionally have a good stance on digital rights issues - said he supports blanket collection of data.

And Theresa May and the Home Office are so obsessed with surveillance, they want to scupper the Department for Culture, Media and Sport's plans to let us use our mobile phones on every mobile network; a plan that would increase connectivity and support the UK economy.

This is a big debate. And if we value our privacy from Government surveillance, we're going to have to fight for it.

That's why ORG's spent the last two days pushing back against Hannigan's comments in the media.

We've appeared on BBC TV news and Radio 4 and been quoted in the Daily Mail, The Telegraph and The Guardian. We also wrote a comment piece in the Independent.

Can you help us with the fight by giving us £5 a month?

ORG is playing a huge part in fighting for our privacy by making sure that GCHQ and the Government don't get to push through more surveillance powers unopposed.

We're already holding the Government to account in the courts by taking them to the European Court of Human Rights to challenge GCHQ's practices and oversight and intervening in a case on DRIP - an Act forcing ISPs to retain our email and web data that Parliament rushed through earlier this year.

We'll also be trying to force privacy and digital rights onto the agenda of new MPs at next year's election. We'll hold lots of local debates with Parliamentary candidates in the run-up to polling day in May. And we've got plans for helping ORG supporters to challenge candidates that knock on their door.

But Theresa May and David Cameron will be running their election campaign from precisely the opposite angle. That's why it's so crucial ORG has the resources we need to stand up to them.

Join ORG today so we can keep fighting back against GCHQ's invasion of our privacy.

When you join ORG you'll get a free ticket to our annual conference ORGCon on 15 and 16 November in London. We've got fantastic speakers and we're focusing on surveillance including a talk on what big technology companies are doing about mass surveillance.

[Read more] (1 comments)

November 06, 2014 | Jim Killock

The courts should decide how much privacy we're entitled to - not GCHQ


In his first public statement since becoming Director of GCHQ, Robert Hannigan yesterday described the likes of Facebook, Twitter, Google and Apple as, 'the command-and-control networks of choice for terrorists and criminals,' and called on them to give 'greater co-operation' to the intelligence services. It is a surprising challenge to these companies, given how much GCHQ relies on them for our data.

Edward's Snowden revelations that the NSA and GCHQ were monitoring our personal calls, texts, emails and webchats did not just damage the credibility of the US and UK governments but also the tech companies who to varying degrees had been complicit in sharing our data. But even when they weren’t handing data over, the TEMPORA programme meant that information from their networks was hoovered up anyhow through the tapping of fibre-optic cables.

Companies responded by encrypting data in transit. By doing this, they are forcing our intelligence agencies to use court orders to make requests for data. To our knowledge, tech companies don't refuse these requests when they are made legally – so when Hannigan calls for 'better arrangements' it is unclear what he really means.

In any case, the debate over acquisition of data, in which politicians like to talk of the Internet “going dark”, takes place in a world where data and records of our phones, flights, emails, photos, movements and heartbeats are proliferating. We should be highly skeptical of claims that data is difficult to get hold of.

There are at least five ways that GCHQ can acquire data to investigate terrorists (plus foreign governments, companies, climate change negotiators, human rights activists and EU officials).

Firstly, they can collect all the data off the wires. As we noted, this is becoming harder, as encryption is more common.

Secondly, they can weaken our encryption methods, by adding backdoors, so they can always decrypt things. The problem with that is it means organised crime can find the backdoor, and they can steal our credit card details, passwords, and everything else that we want to keep safe.  The Snowden documents suggested that the NSA and GCHQ have tried this, which, if true, is deeply irresponsible.

Thirdly, they can find ways to break into computers, phones and routers. They find this a lot easier than you might think and invest a lot of money in it.

Fourthly, they can seize your computer and demand any passwords.

Fifthly, they can go to a company like Google or Facebook with a legal order or warrant.

The problem is that GCHQ and the NSA don’t want personal security to get in the way of them looking at our data: they want banks of computers to check on everyone to make sure you don’t pose a threat to them. That is what bulk collection and analysis means, though they daren’t spell it out that way. Instead, they talk of “needles” being separated from “innocent hay”.

They will claim that they need to find every criminal and terrorist at the press of a button, and to do this, they must break encryption, and seize all of our data secretly. Even if that were true, the cost is enormous. It threatens the personal security of our online activity and leaves us vulnerable to criminal activity.  It also gives the intelligence services unrestricted powers to monitor our communications continuously. Perfect surveillance is a kind of omniscience that most people would not trust ordinary mortals with.

Hannigan is right: privacy is not an absolute right but that does not mean it should down to GCHQ or tech companies to decide just how much privacy we are entitled to. That should be down to our courts and judges. We expect that GCHQ will nearly always be able to get what they ask the courts for. This may not be everything they want to get hold of but democracy and freedom mean that government agencies don’t get to have all of the information, all of the time.

This article was originally published by The Independent.



[Read more]

October 18, 2014 | Richard King

Hacking for your digital rights

On 4 October, twenty people got together for a digital-rights hack-day at Mozilla's community space in Covent Garden. Find out what happened and how you can help take the projects we started further.

The day was all about planning and prototyping hacks to help defend digital rights directly, raise awareness of ORG's issues, support our campaigns with evidence and make ORG more accessible to everyone. It was also a great way to bring together and celebrate our technical community, which has gone from strength to strength this year.

Here's a run-down of the hacks, ideas and prototypes people came up with on the day:

You can also check out a few photos of the day on Flickr.

We're really excited about the creativity and viability of all these ideas - and we want to support the community to bring as many of them to fruition as we can. If you're inspired by any of these projects and would like to help take them further, please introduce yourself on the technical volunteers mailing list, or drop by our IRC channel to say hello. You can also find us on github.

If you fancy joining us in person, grab a ticket for ORGCon (15-16 November), where on day two we'll be holding another day-long hack-fest as well as workshops and other sessions on digital-rights activism. We will also be running a session at the Mozilla Festival (24-26 October) looking at how to build on - please come and say hello if you get the chance.

Happy hacking!

Updated on 31/10/14 to include a link to the github page for the "kickstarter for election candidates" hack.

[Read more]

October 14, 2014 | Ed Johnson-Williams

TTIP's threat to our privacy and culture

TTIP (the Transatlantic Trade and Investment Partnership) is a trade agreement currently being negotiated behind closed doors between the United States and the European Union. The agreement is supposed to "increase trade and investment" but there are significant concerns around its potential negative impact on democracy, the rule of law, innovation, culture and privacy.

Many activists are concerned that TTIP will lower regulations that protect us - for example, environmental and food safety laws. TTIP could also lead to the opening up of public services, like those provided by NHS, to US companies - who would be able to sue the UK government if they believe legislation would lead to a reduction in their profits.

NoTTIP Demonstration - Open Rights Group placards

TTIP - pronounced "tee-tip" - is just one of many international trade agreements. Very few of them are well-known and the acronyms for them can get a little bewildering. One thing that is common to many of the recent agreements is Europe and the USA pushing for measures that would jeapordise our digital rights. We need to be vigilant against the threat that TTIP poses for our privacy and culture.

A (relatively) well-known trade agreement is ACTA (the Anti-Counterfeiting Trade Agreement). The EU, the USA and nine other countries negotiated ACTA between 2007 and 2010. ACTA made Internet providers legally responsible for copyright infringement on their network. To determine whether their users were infringing copyright, providers would have been strongly incentivised to carry out deep, intrusive surveillance on all of our Internet usage, regardless of whether we had actually infringed anyone's copyright. This would have been an enormous invasion of our privacy. Thanks to huge public protests across Europe, the European Parliament rejected ACTA in 2012 with a 92% majority.

Another trade agreeement that is currently being negotiated is the TPP (Trans-Pacific Partnership). The USA is working on the TPP with twelve countries in the Asia-Pacific region. Leaks of the intellectual property (IP) chapter show that the USA is pushing for very restrictive measures on IP that would invade privacy and impact upon freedom of expression, beyond even those in ACTA.

The EU and Canada have just finished negotiating CETA - pronounced "see-tuh" - (the Comprehensive Economic and Trade Agreement). The 2009 leak of a draft IP chapter of CETA revealed extensive European demands for Internet provider liability, strict rules on technical restrictions on media that we buy and longer copyright terms. Europe wanted a more repressive IP framework that would have put the interests of major content owners above the need for innovation, culture and privacy.

There is good news though. Those measures have been dropped in the final CETA text. As Canadian academic Michael Geist points out, one of the likely reasons for this is that Canadian negotiators wanted to keep the relatively consumer-friendly copyright reforms that Canada introduced in 2012. TTIP negotiations will not have this moderating force with regards to the IP provisions.

Discussions on IP in TTIP are at a relatively early stage and the relevant chapter has not been leaked. There are, however, reports of USA negotiators asking for measures in TTIP to encourage Internet firms to bypass the rule of law and voluntarily police IP themselves "in good faith". This could mean (mainly American) companies voluntarily removing content, blocking websites, demoting search results or witholding payments without the normal checks required by legal processes. US law being implemented on a global scale by US companies is not something we should accept.

The USA and Europe have a history of proposing extremely restrictive IP measures. We must stop TTIP from invading our privacy and inhibiting our culture and freedom of expression. As the defeat of ACTA shows, we can defeat undemocratic trade deals. We will be watching the TTIP negotiations closely to make sure our fundamental rights are not threatened.

[Read more] (1 comments)

October 06, 2014 | Ed Paton-Williams and Elizabeth Knight

Journalists and their sources require privacy. But so does everyone else

The police’s use of RIPA (the Regulation of Investigatory Powers Act) to access journalists’ phone records came under attack this weekend from the Lib Dems, the Sun newspaper, Parliament’s Home Affairs Committee, and the Government's Interception of Communications Commissioner.

We support stronger protection for journalists and their sources. It is right that overuse of RIPA is addressed. But this debate is failing to recognise the reason that journalists’ data can be accessed in this way. All of our data is indiscriminately retained and the police can access it without authorisation from anyone outside the police. We need comprehensive reform of our surveillance laws to ensure communications data is only retained on a targeted basis and access to the data must be approved by judges.

Yesterday the Liberal Democrats passed a conference motion including a call for greater protection for communications records which are legally privileged or relate to journalistic sources. It also emerged that the Sun has written to the Investigatory Powers Tribunal to ask for a public review of the Metropolitan Police’s use of RIPA to access phone records belonging to their political editor Tom Newton Dunn.

Parliament’s Home Affairs Select Committee is concerned about the police’s use of RIPA to investigate journalists and their confidential sources. Keith Vaz, the committee’s chairman, is going to write to every police force, asking them how many times they have used RIPA to request someone’s records, what the purpose of the request was, and the profession of the target of the request.

In addition, Sir Paul Kennedy, the Government’s Interception of Communications Commissioner, has written to all police forces asking them to provide him with full details of all their investigations which used RIPA to access communications data and identify journalistic sources.

We welcome these interventions and agree that journalists and their sources must be able to expect privacy. At present the police are obtaining journalists’ communications data by using RIPA and bypassing the journalistic protections contained in the Police and Criminal Evidence Act. RIPA was supposed to provide powers to law enforcement to deal with terrorist and serious criminal activities, not to uncover confidential journalistic sources. The current position threatens the privacy and freedom of expression of journalists and whistleblowers.

It is also worth remembering that, in terms of data retention, the lack of exceptions for communications subject to “professional secrecy” was one of the grounds on which the CJEU (Court of Justice of the EU) recently found the EU Data Retention Directive to be disproportionate and invalid.

However, the issue also serves to highlight deeper problems with our surveillance legislation. Under the Data Retention and Investigatory Powers Act (DRIPA) everybody’s communications data is being retained without suspicion of wrongdoing. Under RIPA no judicial authorisation is required to access the retained data and the data may be accessed for very broadly defined purposes. The case of Tom Newton Dunn is a reminder that these powers are not always used to fight terrorism or serious crime.

The current debate has so far centred around law enforcement's access to journalists' communications data. It's true that journalists and their sources require privacy, but so does everyone else. And even if the police were not allowed to acquire journalists' communications records, the wider population including journalists, would still have all their communications data retained.

We need an overhaul of our surveillance laws so everyone’s right to privacy is respected, including that of journalists. A new law should ensure (amongst other safeguards) that communications data is only retained on a targeted basis (or for business purposes) and that all requests to access data are judicially authorised.

All of our recommendations for reforming surveillance law are available in our joint report, Don’t Spy on Us: Reforming Surveillance in the UK.

[Read more] (1 comments)

October 03, 2014 | Elizabeth Knight

Join ORG to fight increasing surveillance and attacks on our human rights

This week, Theresa May announced that the government intends to revive its proposals to extend surveillance through a new Snoopers’ Charter. A new Communications Data Bill would extend data retention and access beyond the level that has already been found to breach fundamental rights.

David Cameron also announced that the government intends to scrap the Human Rights Act.

The details of the “British Bill of Rights” that would replace it are sketchy. But what is clear is that the government is determined to reduce the human rights protections available to ordinary people in order to avoid facing limitations on its own powers. It is precisely these limitations that allow us to defend ourselves against mass surveillance and hold our government to account.

ORG is already fighting mass surveillance and defending the right to privacy in the courts. It’s proving very successful: we have a high chance of forcing the government to admit that their surveillance powers are too broad and not sufficiently controlled.

We are challenging the government’s surveillance practices before the European Court of Human Rights (ECtHR) as one of the applicants in the ‘Privacy not Prism’ claim. We are questioning the legal framework under which the intelligence services receive and use data from the NSA's “PRISM” and “UPSTREAM” programmes. We are aguing that the current framework is inadequate to comply with the “in accordance with the law” requirement of Article 8 of the European Convention on Human Rights (ECHR). We are also challenging GCHQ’s “TEMPORA” programme, which involves the interception of data from transatlantic fibre-optic cables, under general and rolling RIPA warrants. We highlight that this interception is  indiscriminate and generic. We believe the RIPA provisions for external communications warrants breach the “in accordance with the law” and proportionality requirements of Article 8.

The ECtHR has recognised the importance of this case by giving it priority status. The case is currently adjourned pending judgment in the Investigatory Powers Tribunal (IPT) case brought by other human rights NGOs. We expect it to proceed in 2015 following the judgment in the IPT case. 

We are also involved in a legal challenge to the new Data Retention and Investigatory Powers Act 2014 (DRIPA). Tom Watson MP and David Davis MP have launched a judicial review of the lawfulness of DRIPA, asserting it is incompatible with Article 8 of the European Convention on Human Rights and Articles 7 and 8 of the EU Charter of Fundamental Rights. We are seeking to make a third party intervention in the case. We will make submissions on the relevance of the EU context, in particular the restrictions contained in the EU data protection framework on the retention of personal data. We will contend that DRIPA is overly broad of in light of the clear guidance given by the CJEU in the Digital Rights Ireland case.

The parties have agreed not to oppose our intervention and we are currently awaiting the decision of the court on our application for permission. Earlier this year ORG also mobilised 1,600 supporters to complain to their ISP about their data being retained, demonstrating that people care about this issue.

We will win on at least some of these legal battlegrounds. In doing so we will limit the government’s ability to extend surveillance still further. But the threat to our fundamental human rights is increasing and the fight against the extension of indiscriminate surveillance is intensifying. 

The only way we can stop these threats is by fighting back harder. This year, over 1,200 people have joined to help us fight DRIP, PRISM and other mass surveillance programmes. That has enabled us to take on the government in the courts. Now we need to take the fight to the election, where Theresa May and Cameron are already promising to advance the surveillance state. We can force the parties to justify their views; we can show them that the public care about this: but we can only do this with your help.

Join ORG today to support us in the fight.


[Read more]

October 02, 2014 | Elizabeth Knight

Will we now see parliamentary footage used in parodies?

Following the coming in to force yesterday of the copyright exception for parody, ORG wonders whether the use of parliamentary broadcasts in parodies is now allowed.

Previously, broadcasters had been banned from using the footage for purposes other than reporting news. Thus satirical uses were contractually prevented.

With this question in mind we asked the Parliamentary Recording Unit (PRU) how it plans to deal with the new copyright exception for parody in relation to the potential reuse of parliamentary broadcasts.

The PRU responded that they don’t see a need to change the texts of the licences to use recordings Parliamentary proceedings because of the new the parody exception, but they said the licences will operate with regard to the new section of the Copyright, Designs and Patents Act 1988 relating to parodies.

The PRU also referenced the right of the Parliament to deal with any question of contempt should its proceedings be abused. They referred us to remarks made by the Minister for Universities and Science.

The new section 30A CDPA will deal with “caricature, parody or pastiche”. It will provide:

(1) Fair dealing with a work for the purposes of caricature, parody or pastiche does not infringe copyright in the work.

(2) To the extent that a term of a contract purports to prevent or restrict the doing of any act which, by virtue of this section, would not infringe copyright, that term is unenforceable.”

So the response says that licences to use parliamentary footage will be subject to the parody exception, as we would expect, because no contractual override of the exception is allowed. Given that parody works through a copyright exception, technically it will be completely outside any existing or future licence. But we think that it would be better for Parliament to make this clear.

The use for parody of general parliamentary proceedings raises similar questions. The Open Parliament Licence - used for much of the non-audiovisual material made available by Parliament - currently stops anyone from present(ing) the information in a way that discredits the reputation or standing of either House of Parliament or their members or their officials. 

PRU’s reference to the remarks of the Minister for Universities and Science (to the Tenth Delegated Legislation Committee on 9 July 2014) appears to relate to the following exchanges:

Mr Frank Doran (Aberdeen North) (Lab):  I confess, I had not seen this particular provision before coming to this room today. Is the Minister aware that the contract that the House authorities have with the various broadcasting organisations for broadcasting the proceedings of the House bar any use apart from news programmes and specific reporting on the Parliament channel that [Column number: 6] we are all familiar with? I think that that provision in the contract was made for very good reasons, because we are the perfect target for pastiche. Has the Minister taken that into account in his consideration of how the measure will impact, and does he think he will be popular with his colleagues if he has? 

Mr Willetts:  Perhaps I can touch on that in a moment. We have special arrangements in the House, but of course, they cut both ways: on the one hand, we have special arrangements to protect parliamentary proceedings from parody; on the other hand, there are special arrangements to protect our ability to quote within the House of Commons. We can freely quote without having to secure agreement from the people who originally made the remarks or created the works that we are quoting from. In some ways, we are trying to extend to other institutions across the UK the rights that we have given ourselves in this House. 

[Column number: 16]

Mr Willetts:  On parody, I confirm what I said in answer to an earlier intervention: special parliamentary arrangements protect us from parody—thank heavens. There are restrictions on using parliamentary procedures in a parody. These are deep waters and I shall not stray further into them, but those arrangements exist. 

It is quite disappointing that MPs have to reassure themselves that they will be above the law they are about to pass. But we are not so sure Mr Willetts is right.

The “special arrangements” discussed could refer to the Parliamentary Recording Unit’s licence agreements. But it seems the terms of these will not apply to parodyists owing to the parody exception.

The PRU’s response also refers to the possibility of being in ‘contempt’ of Parliament if its proceedings are abused. It is not completely clear to us what this means in the context of parody. 

According to, contempt “refers to disobedience to, or defiance of, an order of the House, or some other insult to the House or its dignity or a breach of parliamentary privilege. It can relate to any attempt to interfere with proceedings or to obstruct or threaten Members in the performance of their parliamentary duties. In the House of Commons contempts are referred to the Committee on Standards and Privileges but any decision must be agreed by the House…” 

We cannot find an explanation in the debate of the relevance of parliamentary contempt. We would like a clearer explanation of the circumstances (if any) in which it would be used against parodyists.

In short, having read the response of the Parliamentary Recording Unit, it remains unclear to us whether parliamentary footage may now be used in parodies.

In any case, changes to the law will have a limited impact if Parliament continues imposing technological restrictions that stop anyone from recording their taxpayer-funded broadcasts and archived footage.

[Read more]