Blog


December 10, 2015 | Ruth Coustick-Deal

The Investigatory Powers Bill: PR myth list

In the weeks since the Investigatory Powers Bill was officially released, we've seen a lot of Government PR. They are trying their best to assure us that we have nothing to be worried about, but we're not convinced.

So we've broken down some of the lines that you might have seen used by the Government and those who are pro surveillance:

1. The line: This is not a Snoopers’ Charter

What they said: “neither a Snooper’s Charter nor a plan for mass surveillance” - Andy Burnham [1]

Our view: This new will Bill put into law the capabilities and powers revealed by Snowden and more.

Specifically, the Bill extends the state's powers by forcing Internet Service Providers like TalkTalk, Sky and Virgin to store a record of every website and app we've visited in the last 12 months for the police to use. We will be the only EU or Commonwealth country to force ISPs to create and retain people's Internet browsing history.

The idea that the Investigatory Powers Bulk is somehow not mass surveillance is also undermined by the word ‘bulk’. Bulk collection, bulk hacking, bulk interception, bulk retention: the Bill uses this word exactly 400 times. Privacy? It only crops up 17 times.

2. The line: There is strong accountability

What they said: “This will be one of the strongest authorisation regimes anywhere in the world.” - Theresa May [2]

Our view: The Government assures us that this Bill offers a “double lock”, by which they mean that Judicial Commissioners will check warrants for the bulk interception of data after they have been signed off by the Secretary of State.

But Judicial Commissioners will not check whether surveillance is necessary and proportionate, they will check whether the Secretary of State acted in good faith and followed the right procedures. It is unlikely that a Judicial Commissioner would challenge any decision on these grounds but if they do, the Secretary of State can go over their head to the Investigatory Powers Commissioners and ask them to approve the warrant.  This looks more like a rubber-stamping exercise than judicial authorisation.

3. The line: We won’t attack encryption

What they said: “it will not ban encryption or do anything to undermine the security of people’s data” - Theresa May [3]

Our view: The Government have gone round in circles on this. In January, the Prime Minister David Cameron said that we must not allow a means of communication which could not be read. [4] Now the Government is trying to assure us that they are not going to do any such thing: this isn’t a ban on encryption, but they do want it weakened a little bit.

The Bill sets out vague powers to compel communications providers to help with demands for interception. In practice this may involve obliging companies to compromise their software and make their encryption less effective. The end result of course being that we are all more vulnerable to criminal hacks and data leaks. If a weakness is there for the Government, it’s there for everyone.

4. The line: If you have nothing to hide, you have nothing to fear

What they said: "if you have nothing to hide, you have nothing to fear" - Richard Graham, Conservative MP [5]

Our view: That isn’t true. It’s clear that surveillance affects a broad group of people, with real painful consequences for their lives. We’ve seen journalists being monitored, lawyers having their client confidentiality broken, victims of police misconduct being spied on and environmental campaigns infiltrated.

We also published a blog post here which gives a thorough rebuttal of this cliched argument.

5. The line: We need to sacrifice our privacy for security

What they said: Actually, Theresa May didn’t mention the word privacy once in her speech.

Our view: We are being asked to give up our right to privacy in the name of security but it is possible to value both principles as important, to have privacy AND security. And some of the proposals in this Bill could make us less secure. Activities such as hacking can undermine Internet security and can have consequences for people who are not suspected of any crime. We all have a right to privacy and it should only be invaded if we are suspected of a crime. This is no simple trade-off equation and privacy needs to be valued by all the decision makers in the process.

6. The line: GCHQ have to collect everything so they can find the needle in the haystacks

What they said: “It is impossible to provide a defensive cyber-security apparatus without operating first at the level of bulk, then to winnow out the chaff.” - Sir Iain Lobban, former head of GCHQ [6]

Our view: There is no evidence that mass surveillance is more effective than targeted surveillance when it comes to tackling terrorism and serious crime. Collecting, analysing and keeping everyone's data reverses the presumption of innocence until proven guilty. Surveillance should only be used when there is reasonable suspicion.

7. The line: We need to keep everyone's data in order to catch criminals

What they said:"communications data is absolutely crucial not just to fight terrorism but finding missing people, murder investigations" - David Cameron [7]

Our view: We agree that keeping specific communications data can help the police to tackle serious crimes, such as terrorism and child abuse. However, a ruling in the Court of Justice of the European Union (CJEU) outlined the threshold for deciding to retain that data. For example, if a serious crime is committed, data could be retained for a particular geographical region to support a criminal investigation. This means that the police could still retain data for specific investigations, rather than the blanket surveillance of all citizens.

The CJEU ruling was clear that blanket data retention interfered with our right to privacy and our right to a private family life. Other European countries, including Austria, Belgium, Bulgaria, Germany, Greece, Romania and Sweden, have agreed to this. These countries continue to tackle serious crime without undermining their citizens’ civil liberties through blanket data retention.

References

[1] Andy Burnham, http://www.theguardian.com/world/2015/nov/04/theresa-may-surveillance-measures-edward-snowden

[2] Theresa May, https://www.gov.uk/government/speeches/home-secretary-publication-of-draft-investigatory-powers-bill

[3] Theresa May, https://www.gov.uk/government/speeches/home-secretary- publication-of-draft-investigatory-powers-bill

[4] David Cameron, http://www.bbc.co.uk/news/uk-politics-30778424

[5] Richard Graham, Conservative MP for Gloucester, on the day the Bill was announced, and previously by William Hague http://i100.independent.co.uk/article/tory-mp- richard-graham-accused-of-quoting-joseph-goebbels-in- defence-of-new-surveillance-bill--bklSCE9nOg

[6] Iain Lobban, http://www.theguardian.com/uk-news/2015/nov/05/former- head-gchq-sir-iain-lobban-adviser-shell-hakluyt

[7] David Cameron, http://www.theguardian.com/uk-news/2015/jan/12/uk-spy-agencies-need-more-powers-says-cameron-paris-attacks

[Read more] (1 comments)


December 04, 2015 | Ruth Coustick-Deal

Responding to "Nothing to hide, Nothing to fear"

Every time we talk about mass surveillance, privacy or the security services’ powers we and our supporters find ourselves at the other end of that familiar phrase, “If you’ve got nothing to hide, you’ve got nothing to fear”. It's time to challenge that.

This powerful sentence does many things:

  • It encourages a complete trust in state powers - that you will never face wrongful suspicion or misuse of powers, for only the guilty are affected by mass surveillance.

  • It encourages people to embrace their own innocence, to look inwards, and not to look at how other people have been treated or targeted.

  • And after all, this is a climate of fear. Being told that nothing to hide means you have nothing to fear is reassuring. We all want nothing to fear.

  • It also introduces the vague threat that just maybe, if you haven’t behaved, you do have something to fear. Not something to challenge, or criticise, but to fear.

  • And so it keeps us in our place.

So let’s give some answers back:

I wrote a piece about how 'surveillance makes us less safe' earlier in the year. I will say again that I believe we should choose to look outwards, and think about all the people who really need the protections of privacy, and all the examples of when they've had that right invaded:

These are all people for whom surveillance turns into real, felt harms. The vulnerability created by an all-watching surveillance state affects everyone who needs their privacy. When they are listed out like this, you can see how so many people fall into one of these categories. Perhaps you find yourself in this list, or know people who are.

Even if a service is something that you are not using in your day to day life, whether that is a hospital, a library, or the local bus service, we understand that those things should still exist for those who rely on them. In the same way, if one person does not feel that they actively need the right to privacy, we should campaign and fight for all those for whom privacy, and the security it provides, is vital.

However, there are a lot of other perspectives on the cliche, "nothing to hide, nothing to fear", and here are some of the best ripostes our members shared with us as their preferred answers:

  • "Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say."
    -- Edward Snowden, US government whistle-blower and former NSA worker
  • "The premise [is] that privacy is about hiding a wrong. It's not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect."
    -- Bruce Schneier, computer security and privacy specialist
  • “Equally, what it means to be a free and fulfilled human being is to have a place we can go and be free of the judgmental eyes of other people. There are things we are willing to tell our physician or our lawyer or our psychologist or our spouse or our best friend that we would be mortified for the rest of the world to learn. People can very easily say that they don’t value privacy, but their actions negate the authenticity of that belief.”
    --“Why privacy matters" TED Talk by Glenn Greenwald, lawyer, journalist and author
  • “There is the inherently selfish response of ‘I have nothing to hide’. Well it is true that I am not ill. It is true that I am not blind. But I still want to live in a world that has hospitals. I still want to live on a street that has accessibility for blind people. And it is also the case that I want to live in a world where everyone has privacy, thus dignity, confidentiality and integrity in their daily lives, without having to ask for it, to beg it from a master. Because it is the case that when you ask someone for those things, they may not grant them. And then you will know that you are not free”.
    --Jacob Appelbaum, computer security researcher and hacker
  • "You may consider yourself law-abidingly white as snow, and it won’t matter a bit. What does matter is whether you set off the red flags in the mostly-automated surveillance... When you frequently stop at a certain bar on your way driving home from work, the Department of Driving Licenses will draw certain conclusions as to your eligibility for future driving licenses – regardless of the fact that you think they serve the world’s best reindeer meatballs in that bar, and never had had a single beer there. People will stop thinking in terms of what is legal, and start acting in self-censorship to avoid being red-flagged, out of pure self-preservation."
    --Rick Falkvinge, founder of the Swedish pirate party.
  • "The broad purposes of the surveillance and its secret nature prevents open debate and deliberation in Parliament, thereby preventing democratic authorisation and oversight. "If you have nothing to fear, you have nothing to hide" is not the language of a democratic society. Our right to privacy forms the bedrock upon which all of our other rights and freedoms are built. The Lords Constitutional Committee (2009) agreed that "Mass surveillance has the potential to erode privacy. As privacy is an essential pre-requisite to the exercise of individual freedom, its erosion weakens the constitutional foundations on which democracy and good governance have traditionally been based in this country."
    --The Don't Spy on Us coalition (of which ORG is a member)

 

Share image by Brian Yap (CC BY-NC 2.0)

[Read more] (10 comments)


November 05, 2015 | Pam Cowburn

First take on the Investigatory Powers Bill

The long-awaited Investigatory Powers Bill has been published at last. The draft Bill is almost 300 pages long so it is going to take us a while to go through the detail but here is our first take on what it contains.

Legitimising bulk interception and previously unknown access to UK communications data

The draft bill spells out the powers that the security services have to collect content and data in bulk. Although this had been done for years, no one really understood the extent of GCHQ’s capabilities until the Snowden leaks. The government acknowledged today that secret agencies have been going even further, accessing data in bulk from UK internet providers not just from international cables. The bill effectively endorses these previously secret – and at face value disproportionate – mass surveillance powers. This is in addition to powers to obtain bulk datasets, such as phone books, driving licenses, travel or banking records.

Retaining even more data

One of the most controversial parts of this new Bill is that ISPs will be forced to keep much more detailed data about our internet activities, such as websites we visits or apps we use in our phone. To access this data, the police would need to get a court order – this seems to be a concession to the European Court of Justice ruling last April that said there must be safeguards for accessing retained data. In July, the High Court said that parts of the Data Retention and Investigatory Powers Bill were unlawful for the same reason.

We will be asking why the UK police feel they need these powers. In his inquiry into surveillance, the Independent Reviewer of Terrorism Legislation, David Anderson QC said:

“I am not aware of other European or Commonwealth countries in which service providers are compelled to retain their customers’ web logs for inspection by law enforcement. I was told by law enforcement both in Canada and in the US that there would be constitutional difficulties in such a proposal."

Who signs off warrants?

The new Bill proposes a new system of “double-lock” where some warrants will be signed both by the Secretary of State or an authorised person, and additionally by a special judge. At face value this might seem an improvement on the current situation where judges do not have a role, but there are concerns that in practice this may simply amount to a rubber-stamp. Judges would have a very narrow role, only being allowed to check that there are grounds for the minister’s decision and that procedures have been followed, but not to challenge the substance of the decision. Fully independent judicial authorisation would be a better guarantee of due process. Disappointingly, the draft new bill still allows police, councils and other agencies to obtain communications data without the need to involve a judge.

Has encryption been banned?

We don’t think there was ever going to be a serious attempt to ban encryption. The Bill ask for powers to compel communications providers to assist with demands for interception. How companies do this will presumably be at their discretion. In some cases this might involve compromising their software to make the encryption less effective. This is something that we are sure companies will be looking into.

New hacking powers

The bill clarifies the powers of security agencies to break into our laptops and mobile phones, including worrying new powers for non targeted mass hacking. The bill also forces internet companies to help in hacking their customers.

What are the positives?

We asked for a transparent law and on first reading it does seem to be very clear about the powers being given to the State. Transparency over these activities is very welcome, as it enables debate and challenges to specifics, including in the courts. There also seems to be improvements to redress, including the right to appeal rulings by the Investigatory Powers Tribunal, which is something ORG has campaigned for. The new Investigatory Powers Commissioner may also bring improvements to democratic oversight.

What happens next?

This is a massive bill and it’s going to take us some time to scrutinise it in detail. Our initial view is that the draft bill appears to be a missed opportunity to rein in the surveillance state. It mainly seems to legalise current practices and add a veneer of human rights compliance without fundamentally changing what the police and secret agencies already do.

[Read more] (12 comments)


November 04, 2015 | Ed Johnson-Williams

Investigatory Powers Bill published and now the fight is on

The Government’s just published the draft Investigatory Powers Bill. It will decide the surveillance powers that the police and intelligence have for years to come.

Open Rights Group has been calling for a new surveillance law for years. Today, we’ve got a draft of one. Now the fight’s on to make sure the final Bill genuinely protects our rights to privacy and freedom of speech.

There’s a huge campaign ahead of us now. Can you join ORG today to help us campaign for the dangerous parts of this Bill to be taken out?

The Bill is huge and we’re going to spend the next couple of days going through it to work out exactly what’s in there and what’s not, what’s problematic, and what should stay.

So far we know that he Bill requires Internet Service Providers like Virgin, Sky and BT to store details of every website visited by their customers for 12 months so the police can access that information about us. It also authorises GCHQ’s bulk collection of Internet data by systematically tapping the cables transporting Internet traffic in and out of the UK.

We’ve been talking to the media today and over the last couple of weeks but there’s a lot more to do in the coming months.

First, we want to give politicians, the media, our members, and the public a considered analysis of how the Bill would affect the Internet, the economy, our legal system, and our rights to privacy and freedom of speech.

Then we’ll give evidence to the joint committee of Parliament who will scrutinise the Bill to push for their recommendations to include the changes we want. We’ll also support our local groups who want to lobby their Member of Parliament as the Bill reaches the Commons.

Can you join ORG today to stand up for privacy in the digital age?

We want surveillance to be targeted to those who are reasonably suspected of crimes. It’s a difficult debate and there are plenty of powerful voices on the other side to us. Join us today and add your voice to the debate.

[Read more]


October 29, 2015 | Ruth Coustick-Deal

Bring on the fight for free expression

Yesterday the Prime Minister said that whilst "sputtering over his cornflakes" he decided to legislate to implement filters for adult content.

A chance at last for a full debate about free expression in this country? Bring it on!

This follows the European Parliament vote on net-neutrality regulations, which will ban the current voluntary agreement that the Government pressured Internet Service Providers into accepting, where they provide filters for the Internet and encourage customers to use them. Some of these filters are now switched on by default.

We’ve said it before, and we will keep saying it: filters are flawed. They block lots of "good" websites and let through many "bad" ones (and anyway, who gets to decide the difference?) They apply equally to your seven-year old and your 17 year-old despite their different needs. They affect many more people than just children, and most housholds switch them off, as they just get in the way.

However, we welcome Cameron's call for legislation so that we can challenge this idea in a proper, public debate.

Here’s just one story of how filters fail:

Rebecca and Craig Struthers run an award-winning craft watchmaking-business called Struthers London. Unknown to them, their site was being blocked by BT and Virgin. It wasn't until Rebecca was contacted by a customer on Twitter that she found out.

When Rebecca contacted Virgin, their customer-services operative refused to believe that there wasn't any porn or violent content on her site. She was told to "tell her customers to turn off the filters", even though they can't reach her site so couldn't read that message!

Rebecca said to us, "customers... will assume there is something wrong with our website, not the filters – they are more likely to trust BT or Virgin than a small business like ours."

We’ve been campaigning against online censorship for the past decade; challenging filtering since it was first introduced for mobiles, and we have heard hundreds of stories just like Rebecca and Craig's. That’s why we built Blocked - a tool that lets anyone check whether any site has been blocked - and created a satirical film about filters called the Department of Dirty.

The Blocked tool is free, but we need your support to keep the project going, and to challenge this legislation effectively. Can you help fight censorship by donating to our work today?

To fight censorship we have:

  • Forced the Government to accept over-blocking is a problem.

  • Encouraged several ISPs to present customers with a real choice about filters instead of as a demand.

  • Shown Parliament and the public the negative effects of filtering.

  • Helped lots of people get their sites unblocked.

There’s more work we can do though! With your support we can:

  • Challenge everything dreadful about this new law.

  • Force the Government to do something about the over-blocking problem.

  • Get ISPs to explain the downsides of filters to customers, not just their advantages, so they can make an informed choice.

  • Improve the Blocked tool to expose more censored sites.

  • Give people like Rebecca and Craig better tools to get problems fixed.

  • Encourage ISPs to install better processes for identifying and unblocking sites.

  • Campaign to stop filters being imposed on everyone by default.

If you want to help us do this and more, please donate today.

[Read more]


October 16, 2015 | Pam Cowburn

Why ORG is offering to help protect MPs’ communications

Open Rights Group has written to all UK MPs to offer training to help them keep their communications private. We did this in response to this week’s ruling by the Investigatory Powers Tribunal (IPT) that the Wilson Doctrine does not protect MPs’ communications from surveillance by the intelligence agencies. We believe those communications should be protected.

The Wilson Doctrine is named after former Prime Minister Harold Wilson who in 1966, following a spate of scandals involving the alleged telephone-bugging of MPs, told the House of Commons that MPs’ phones would not be tapped. In 2002, Tony Blair said that the policy also applied to the “use of electronic surveillance by any of the three security and intelligence agencies”. In the aftermath of the Snowden revelations, Parliamentarians have asked repeatedly for the Government to clarify whether the Wilson Doctrine still applies. In addition, Caroline Lucas MP and Baroness Jones of Moulsecoomb asked the IPT whether the Wilson Doctrine prohibited the interception of their communications – including their confidential correspondence with constituents.

Yesterday’s Judgment settled the matter: MPs communications enjoy no special protection, despite the Wilson Doctrine, and their interception is governed by the Regulation of Investigatory Powers Act 2000 (RIPA). At the IPT, GCHQ argued the Wilson doctrine does not have force in law and cannot impose legal restraints on the agencies. The IPT agreed. We don’t know how long GCHQ have held this view and whether successive Prime Ministers were aware of their position.

The ruling has raised the question of whether parliamentarians' communications deserve greater protection than the rest of us. ORG believes that everyone has the right to communicate privately unless they are suspected of wrongdoing. However, some communications need more protection because the consequences of a breach of privacy would be severe, both for the individuals involved, and for society as a whole.

Our democratically-elected MPs should not be spied on by the security services unless there is a serious threat to national security. Protecting MPs' communications also protects constituents and whistleblowers who need to contact them in confidence. However, if systematic surveillance is in place, it is difficult to maintain confidentiality.

Other professions that need additional protections include lawyers and journalists. Both UK law and the European Court of Human Rights recognise that it is a fundamental human right for lawyers to communicate confidentially with their clients. This is seen as essential to ensure that people have the right to a fair trial. Earlier this year, another IPT ruling showed that policies on how the security services handle privileged communications between lawyers and their clients had breached human rights law.

The Press Gazette launched the Save our Sources campaign to prevent surveillance law being used to access journalists’ communications after it was revealed that the Met police used RIPA to access the phone records of Sun journalist Tom Newton-Dunn. Under the Police and Criminal Evidence Act 1984 (PACE), the police are required to get permission from a judge if they want to access a journalist’s records to identify a source. The fact that the police can still use RIPA instead of PACE to override this safeguard and the difficulty in defining exactly who is a journalist make this difficult to enforce.

The right to privacy should not be limited to certain professions but the fact that our surveillance law has failed to protect these groups shows just how broken the system is. Next year, MPs will vote on a new surveillance law, the Investigatory Powers Bill, which is due to be published in draft form in the next few weeks. This may attempt to offer additional legal protection to lawyers, journalists and parliamentarians. The question is whether these provisions would be realistic given what we know about the capabilities of GCHQ. If data is being collected and analysed in bulk, how can GCHQ and the police guarantee that they have excluded these groups? GCHQ themselves argued before the IPT that excluding politicians from mass surveillance isn’t feasible. If we want to protect privileged communications, we need to protect everyone's communications from indiscriminate surveillance.

Human rights judgments at the CJEU have made it clear that surveillance measures have to be targeted to a specific, necessary purpose in order to be proportionate: collection of data cannot be indiscriminate. Their judgments require robust, independent authorisation to access collected data, and for stored data to remain within the control of EU law. Without this, UK surveillance is open to abuse and could chill political activity and free speech.

MPs will discuss the implications of the IPT ruling for the Wilson Doctrine in an emergency debate on Monday 19 October. We hope that when the draft Investigatory Powers Bill is published they will do the right thing and fight for surveillance legislation that protects everyone’s right to privacy. In the meantime, we are ready to help them protect their communications so that they can communicate with us, their constituents, securely.

[Read more]


October 06, 2015 | Javier Ruiz

Why the CJEU ruling on #SafeHarbor is a landmark victory for privacy rights

The Court of Justice of the EU has ruled that Safe Harbor, the major legal instrument for the transfer of personal data to the US, is invalid due to the lack of protections against mass surveillance by the US government.

CC BY-SA 2.0 openDemocracy

What is Safe Harbor?

European data protection law states that companies can only transfer EU citizens’ data to countries that provide an adequate level of protection for this data. The US does not meet its threshold for protection so in 2000 the European Safe Harbor agreement was created to allow the transfer of data between the US and Europe. Companies were allowed to self-certify that they were carrying out the necessary steps.

Why was the case brought against Facebook?

In 2013, Austrian law student, Max Schrems brought a case against Facebook in Ireland, where the company has its European headquarters. He argued that revelations by NSA whistleblower, Edward Snowden, showed that the NSA were accessing data held by companies like Facebook. As US law did not offer enough protection against this surveillance, his privacy was being violated.

The Irish Data Protection Commissioner rejected Schrems’ case because the Safe Harbor agreement governed the transfer of data. The case was then referred to the Court of Justice of the European Union (CJEU).

What did the CJEU find?

The court did not look at the merits of the Safe Harbor agreement, but observed that it only applies to American companies who use it to receive data; US public authorities are not subject to it. The Court found that “national security, public interest and law enforcement requirements of the United States prevail over the safe Harbor scheme”. This means that Safe Harbor by itself cannot guarantee that privacy rights are respected because other laws take precedence.

The Court also found that some of these US laws are too broad and not compatible with our fundamental rights: “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life”.

The judgment echoed the Data Retention Directive judgment from April 2014, with a ‘double lock’ that retention can only take place when it is limited to what is necessary to achieve a specific objective, and accompanied by independent authorisation of access. This goes further than the UK’s recent judgment on data retention, which focused solely on access controls.

The above together with the fact that EU citizens have no legal remedies under those US laws drove the court to declare Safe Harbor invalid. The ruling will force the USA and the EU to look at the protection of privacy for EU citizens when their data is stored in the USA. It places our fundamental rights above trade considerations. This is important when thinking about future trade treaties, which are often controversial because of their potential impact on concerns such as privacy and free expression.

The ruling places greater obligations on data protection authorities - such as the UK’s Information Commissioner - as it says that they must ensure that fundamental rights are respected in data transfer arrangements to the US by private companies. It also limits the ability of the Commission to claim everything is OK and persuade European regulators to look away.

Current CJEU rulings are therefore developing a standard for retained data which requires targeted, proportionate retention, coupled with independent access. This challenges current practice not just with communications data retention, but also the sharing of Passenger Name Records (PNR data). It also has implications for proposed extension of data retention that we might see in the draft Investigatory Powers Bill due to be published this autumn.

What does this mean for privacy rights?

Max Schrems said:

“I very much welcome the judgement of the Court, which will hopefully be a milestone when it comes to online privacy. This judgement draws a clear line. It clarifies that mass surveillance violates our fundamental rights. Reasonable legal redress must be possible.

“The decision also highlights that governments and businesses cannot simply ignore our fundamental right to privacy, but must abide by the law and enforce it.

“This decision is a major blow for US global surveillance that heavily relies on private partners. The judgement makes it clear that US businesses cannot simply aid US espionage efforts in violation of European fundamental rights.

“At the same time this case law will be a milestone for constitutional challenges against similar surveillance conducted by EU member states.”

What happens now?

This is very big news. Safe Harbor is used by most large Internet companies we use every day, but also some other 4,000 less known companies. Safe Harbor is dead and the legal changes take effect immediately, but the practical effects may take some time to reach ordinary citizens.

EU companies and subsidiaries large or small that currently rely on Safe Harbor will be urgently looking for alternative arrangements that allow them to continue transferring data to the US. Options include asking for informed consent, but it will be awkward to ask customers to volunteer to be spied upon by the US government. Smaller changes to the privacy policies of Facebook or Twitter have led to major outcries, although admittedly not to a huge loss of business.

Companies could try to use contracts or other corporate instruments. But these could take time and turn out to be problematic in the medium term because any such arrangements might suffer from the same limitations vis-a-vis US national security that led to the demise of Safe Harbor.

We do not expect any companies sending data to the US to stop doing this overnight, or at any rate on their own initiative, but they could be open to challenge. Customers may soon be asking them what exactly they are doing to comply with the ruling.

Data protection authorities might need to examine individual arrangements, and may well rule that they are as invalid as Safe Harbor. However, any increased protection will rely on EU member states’ data protection oversight arrangement. The UK Government needs to ensure that the Information Commissioner’s Office is sufficiently resourced and capable of protecting our privacy rights.

Everyone will also be waiting for other legal changes to come from elsewhere. The EU machine is in the final stages of a major rewrite of data protection legislation, and the European Commission was already negotiating a new agreement with the US to replace Safe Harbor.

The EU could promote its own cloud and Internet services industry to encourage companies to keep data to stay within Europe’s jurisdiction.  This is not a long term solution, but it would provide an incentive for the US to act and help create an international framework that truly guarantees our privacy irrespectively of where our data is located. The CJEU has observed that there are a fundamental lack of protections for EU citizens’ data in the US - so ultimately the US needs to change its laws.

[Read more] (1 comments)


September 25, 2015 | Pam Cowburn

ORG launches Corporate Supporter Scheme

It has been ten years since 1,000 digital activists donated £5 a month to create Open Rights Group. As we approach our 10th anniversary, we now have over 3,000 paying members. Then, as now, ORG’s mission was to support the rights of individuals. Our core belief is that people have the right to control their technology, and we oppose the use of technology to control people.

Many organisations, and the people who work for them, also recognise the benefits of fair laws, transparency and an open and free Internet which benefit them, as well as citizens. A number of businesses have supported us for many years - for example, Bytemark provide our web servers and Andrews & Arnold are instrumental in the running of our Blocked project. Now, ORG has launched our Corporate Supporter Scheme to invite more organisations that believe in digital rights to support our work. We’re delighted to announce that the first businesses to become official ORG Corporate Supporters are Andrews & ArnoldGrit Digital and Valcato Hosting. We hope that many more organisations will join them.

There are many examples of shared areas of concern for individuals and businesses. One of these has been recent media speculation about Government plans for accessing encrypted communications. With issues such as this, the tech sector benefits from ORG calling for the right to encrypt our communications and online transactions. Equally, our campaigns can benefit from their support – not just financially – but by adding their voice to the debate. Getting the business perspective on Government policies and and technical developments will also help us to have more informed policy positions. After all, it is often businesses that have to implement Government policies and they are very aware of their flaws.

Human rights are at the heart of everything we do, so we will only invite companies and organisations that support our aims and values to become Corporate Supporters, and we won't, at any point, start promoting their products.

We'd like to thank our Corporate Supporters for helping to make ORG's work even more effective. If you run or work for a business that supports digital rights, you can find out more about our Corporate Supporter scheme here, or by emailing me for more information: pam@openrightsgroup.org 

[Read more]


google plusdeliciousdiggfacebookgooglelinkedinstumbleupontwitteremail