July 02, 2014 | Pam Cowburn

ORG's Blocked project finds almost 1 in 5 sites are blocked by filters

Today, Open Rights Group relaunched

A Porsche broker, a political blogger and a mum hoping to read an article about post pregnancy care are among those that have been affected by Internet filters, designed to protect young people from adult content.

In 2012 we published the Mobile Filtering Report, investigating the way default blocking on mobile phones was denying people access to important information. We reported on what has seemed like rather arbitrary censorship, such as the New Wine church block. ORG analysed and drew examples from our site at which originally allowed people to submit when they found that a site had been blocked.

Now the full extent of Internet blocking can be revealed by our relaunched Blocked project.

Any web users can use the free checking tool on where they can instantly check to see if a website has been blocked by filters. Our tool checks the submitted url for blocks across the main Internet networks on both broadband and phone. We have test lines from 3, Andrews & Arnold, BT, Everything Everywhere, O2, Plusnet, Sky Broadband, TalkTalk, Virgin Media and Vodafone.

Through the Blocked project we wanted to find out about the impact of web filters. So far Open Rights Group has tested over 100,000 sites and found that over 19,000 - almost one in five - are blocked by one ISP or another. The problem of overblocking is not going away. Different ISPs are blocking different sites and the result is that many people, from businesses to bloggers, are being affected because people can’t access their websites.

We've found that there is a lack of information about how to get sites unblocked. Mother-of-one Marielle, said she was ‘humiliated’ when she visited the Three store to find out how she could order to access an article about post-partum care on her phone: “The manager told me that I couldn’t access filtered articles without entering a 4 digit pin every time I wanted to read a filtered article because I had a PAYG plan.” Marielle submitted a report to Three saying that the article had been incorrectly blocked but didn’t get a response.

There are more personal stories on the Blocked site and we'd like to hear from you if you've been affected by filters.

We'd like to thank our supporters who committed to make this project happen. ORG's team of technical volunteers worked with us to build the systems and software for this project and we're very grateful for their time. We couldn't have done this without the support of our community, so thank you.

How you can help Blocked?

Test your url:

Spread the word: 
We want as many people as possible to talk about how filtering effects them. It's only through being vocal that we'll be able to change the Government's attitude to Internet censorship.

Join ORG: 
By joining ORG you can help us continue to provide Blocked for free and support our on-going development of the tool.

[Read more] (1 comments)

June 19, 2014 | Elizabeth Knight

Data retention: why we have to keep the pressure on ISPs

In the last four hours, over 400 ORG supporters have contacted their ISPs to demand that they stop retaining customers' email, SMS, web and phone data. It's crucial that we keep up the pressure.

In April the Court of Justice of the EU ruled that the Data Retention Directive breached fundamental rights of privacy and protection of personal data. And yet the ISPs, on government advice, are continuing to store data.

ORG supporters' emails are an important first step in pressuring ISPs and the government. They must be made aware that customers care about this.

Emails to ISPs may also be used as a basis for formal complaints to the Information Commissioner's Office (the body that supervises data retention in the UK). In addition the high level of customer concern may be helpful as evidence in any legal action ORG might take against the government.

In our view there is no legal basis for the continuation of data retention. We believe the ISPs should be acting in their customers' interests and seeking clarity from the courts. At present they are passing the buck and hiding behind government advice to continue as usual. It is for the courts, not the government, to decide whether the UK Data Retention Regulations should continue to be applied.

Some ISPs are already sending automated responses to ORG supporters. Their responses illustrate our concerns.

Virgin Media's response says: “...We have also been in contact with government and with the Information Commissioner's Office following the ruling and the UK government's current position is that although the Directive was held to be invalid, our own Data Retention Regulations are still in force and we must comply with them until such time as they are struck down by a UK court.

Sky's response says: “It is our understanding that the Data Retention (EC Directive) Regulations 2009 remain in force within the UK. We will therefore continue to meet any obligations as set out in those Regulations, and retain data in accordance with our data privacy notice...

It is vital that as many people as possible contact their ISP. ISPs need to know that this is an issue that matters to their customers. We can see from their replies that the ISPs are talking to the government. ISPs must have their customers' concerns at the forefront of their mind when they have these conversations. Your emails help that happen.

If you haven't yet contacted your ISP – Please contact them to register your concern!

If you've already contacted your ISP - thanks for your help. Please keep us updated by sending any replies to

[Read more]

June 19, 2014 | Ed Johnson-Williams

Demand your ISP stops retaining your data

In April, the European law forcing Internet Service Providers like BT, Sky, TalkTalk and Virgin to collect our communications data was struck down by the European Court of Justice. The judges said the law interfered with our right to privacy.

But UK ISPs have passed the buck. On the Government's advice ISPs are still retaining your personal data about who you email, text and phone, where you are and the websites you visit. We'll likely have to take legal action to stop this. First though, we need lots of the ISPs' customers to make a complaint.

ORG's new Legal Director Elizabeth Knight and solicitors from Deighton Pierce Glynn have prepared a legal letter of complaint demanding that your ISP stops retaining your data.

This is a really exciting time for ORG. We've just hired Elizabeth as our new Legal Director so we can take on big legal campaigns like this. We still need your help though to make sure we have lots of examples of people who have told their ISP to stop retaining their communications data.

Can you email the letter to your ISP in your name now? It's already written for you so it'll just take a minute.

At the moment we've only set up the action to contact BT, Sky, TalkTalk and Virgin Media. If you use another ISP, you can use this template letter to complain to them.

Dear [ISP name],

You will be aware of the judgment of the Court of Justice of the EU on 8 April 2014 in the Digital Rights Ireland case Joined Cases C-293/12 and C-594/12, which found the Data Retention Directive (Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC) to be in breach of Articles 7 and 8 of the EU Charter of Fundamental Rights and Freedoms and Article 8 of the European Convention on Human Rights.

This is likely to have the effect of rendering unlawful the UK's regulations implementing that Directive, known as the Data Retention (EC Directive) Regulations 2009. Accordingly, any requirement imposed on you by the Regulations or otherwise by the UK Government is likely to be unlawful as it is in breach of those same fundamental rights.

I ask you as my ISP to confirm to me within 21 days that you shall not store any data relating to me for any period other than as strictly required for the provision of internet services to me i.e. as soon as any data ceases to be necessary for technological reasons only then it shall be automatically deleted. I also ask you to confirm that you shall delete any data already held in relation to me.

If you are not prepared to provide the assurances I seek, then I ask you to state on what authority you continue to retain my data and for what purpose. I also ask you to clarify what arrangements you currently have in place with the UK Government for the retention of my data.

Yours sincerely,

[Your name]

[Read more] (18 comments)

June 10, 2014 | Pam Cowburn

Don't Spy on Us: Day of Action, June 7, 2014

On Saturday, June 7, the Don't Spy on Us campaign and The Guardian hosted a day of action to mark the anniversary of Edward Snowden's revelations about mass surveillance by the NSA and GCHQ. ORG is a founding partner in the Don't Spy on Us coalition, which also includes Article 19, Big Brother Watch, English PEN, Liberty and Privacy International.

Sponsored by F-Secure, the sell-out conference at Shoreditch Town Hall, London, was the biggest privacy event of the year.

The day began with a pre-recorded video message of support by performer Stephen Fry, who criticised the government for using the fear of terrorism as a "duplicitous and deeply wrong means of excusing something as base as spying on the citizens of your own country". Next up was ORG co-founder Cory Doctorow, who suggested that increasing our own personal security online would increase the cost of spying to the extent that it would force the security agencies to become more targeted. In a later session, he also suggested that we need, “privacy for the weak, transparency for the strong”.

Other speakers included Guardian Editor, Alan Rusbridger and the journalist Ewen MacAskill, who gave incredible accounts of how the Snowden story broke – revealing that the New York Times had effectively created an 'embassy' for The Guardian in its New York offices to ensure that the British newspaper was protected by the US constitution.

This was a day of action, not just words, and there were a number of breakout sessions that looked at practical ways that the Don't Spy on Us campaign can persuade the public, government and media to do something about mass surveillance. Tim Duffy, CEO of M&C Saatchi, identified two reasons for public apathy over surveillance – many people are not aware of it and if they are, the fear of terrorism beats the fear of having their privacy invaded. Duffy made a number of suggestions for how the campaign can overcome these problems, including disclaimers on emails and apps.

In a separate session, Claude Moraes MEP, lawyer Mark Stephens, Cambridge University's Ross Anderson and Emam Carr from Big Brother Watch listened to participants' suggestions for new legislation that will protect our rights to privacy and freedom of expression. Meanwhile at a cryptoparty, volunteers (including a number of ORG supporters), showed attendees how to encrypt their emails.

The event ended on an upbeat note with Wikipedia founder Jimmy Wales reminding the crowd about effective collective action over SOPA and urging them not to feel powerless: "We know how to change the world. Let's start doing it." Shami Chakrabarti of Liberty said that if the courts, private business and people start to care, then politicians will start to care about mass surveillance. Security expert Bruce Schneier agreed that the solution will be political, saying that “laws can trump technology".

ORG Executive Director, Jim Killock closed the day by asking people to not only sign and share the Don't Spy On Us petition but also contact their MPs.

One year on, the government response to the Snowden revelations has been inadequate but with an election due next year, politicians are more sensitive to what the electorate wants. With your support, we can make sure they listen to what we are saying.

For more on the event, check out #Don'tSpyOnUs, which trended on Twitter all day on Saturday. You can also read blogs by Professor Ian Brown, Damian Gayle and Falling down the Orwell or see some of the press coverage in The Observer, The Telegraph, The Independent, The Times (£), The Daily Dot and Channel 4.


Waiting for opening speakers at #dontspyonus by Dave Levy CC BY-NC-SA 2.0


 Proposed pro-privacy street ad by Cory Doctorow CC BY_NC-SA 2.0




[Read more] (2 comments)

June 07, 2014 | Jim Killock

No transparency for the UK in Vodafone's transparency report

Yesterday’s transparency report from Vodafone raised a very intriguing question: why did Vodafone feel obliged to redact aggregate surveillance statistics from their UK report?

vodafone reportVodafone’s argument for publishing these statistics where they can is that “The need for governments to balance their duty to protect the state and its citizens against their duty to protect individual privacy is now the focus of a significant global public debate.We hope that – despite the shortcomings … – the country-by-country disclosures in this report will help inform that debate.”

They note however that it is not legal to disclose aggregate statistics or other information in many of the 29 countries in which they operate. Although Google, Twitter, Yahoo and others do publish aggregate information about the UK, Vodafone report states that the law in many states is not clear:

In many countries, there is a lack of legal clarity regarding disclosure of the aggregate number of law enforcement demands. We have therefore contacted governments to ask for guidance. Some have responded, and their views are summarised in this report.

But more importantly, Vodafone have chosen not to publish statistics about the volume of their own communications data requests, as the UK government does this already:

We believe governments should be encouraged and supported in seeking to adopt this approach [publishing aggregate statistics] consistently across our countries of operation. We have therefore provided links to all aggregate statistics currently published by governments in place of our own locally held information (where disclosure is legally permissible at all) and are already engaged in discussions with the authorities in a number of countries to enhance the level of transparency through government disclosure in future.

Separately, where the authorities currently do not publish aggregate statistical information but where we believe we can lawfully publish in our own right, we have disclosed the information we hold for our own local operations.

In other words, as the UK publishes a single aggregagate Comms Data statistic, Vodafone believe they should not duplicate and confuse the picture.

For the UK, Vodafone state:

[Note 1] Section 19 of the Regulation of Investigatory Powers Act 2000 prohibits disclosing the existence of any lawful interception warrant and the existence of any requirement to provide assistance in relation to a warrant. This duty of secrecy extends to all matters relating to warranted lawful interception. Data relating to lawful interception warrants cannot be published. Accordingly, to publish aggregate statistics would be to disclose the existence of one or more lawful interception warrants.

{Note 2] The Interception of Communications Commissioner’s Office publishes statistical information related to lawful interception and communications data demands issued by agencies and authorities.

It is not clear whether it is Vodafone’s interpretation of RIPA, or the government’s that it is really true that “to publish aggregate statistics would be to disclose the existence of one or more lawful interception warrants” and violate Section 19 of RIPA. 

We do not agree with Vodafone that it could be confusing to publish their own figures for requests. It is, we believe, important for everyone to be clear about the volumes and kind of requests they are getting, including the errors and rejections of requests that that are made. Showing that both companies and governments are roughly in agreement about what is happening helps us understand the bigger picture of law enforcement activity. The UK government has been notoriously resistant to the idea of improving transparency and will probably remain so. It is inadequate to expect them to improve without outside pressure, which means comapnies must publish what they can.

Transparency of course is not a solution to mass surveillance. It is just a precondition for a sensible debate, and re-establishing trust. At this point, it seems that the UK government is still trying to perpetuate a culture of secrecy.

UPDATE: This article has been edited to reflect Vodafone's explanation of their choice not to publish UK and other aggregate statistics set out in the report.

[Read more]

June 05, 2014 | Ed Johnson-Williams

Snowden: one year on and still no action by the British government

Last weekend I was on holiday in Hamburg. I got chatting to a German man in a cafe who asked me, as people do in casual conversation, about my work. I told him about ORG's work challenging the UK's surveillance of the Internet. He started talking about how angry he was at the way the UK and USA's surveillance has forced him to think differently when he uses the Internet.

He now finds himself always double-checking that what he searches for on Google, or what he writes on Facebook, or what he sends in an email couldn't be misconstrued by an intelligence agency as something suspicious. He thought it was wrong that he has to worry about who's watching him. He didn't put it in these terms but he'd identified the UK and USA's surveillance as a breach of his everyday freedoms of expression, thought and association as well as his privacy.

It's a year since The Guardian published the first of many news stories about the scale of GCHQ and the NSA's intrusion into our private lives. Based on the revelations of whistleblower Edward Snowden, the stories had global implications, exposing the insecurity of the Internet, straining relationships between the US and its allies and raising questions about who has control over the agencies that purport to protect our freedoms.

And as my conversation in Germany showed, surveillance has damaged global freedom of expression, affecting the way we think when we use the Internet. There have been other consequences to free speech in the UK as well. We have fallen five places in the Freedom House world ranking of countries' press freedom. This was as a result of legal threats made by the Government against The Guardian, the destruction of hard drives in the newspaper's offices and the detainment of David Miranda, the partner of Glenn Greenwald - one of the journalists who broke the Snowden story.

Despite this, and unlike in the US or the rest of Europe, there has been limited public and political debate in the UK. The issue continues to be conveniently ignored by the UK government and sidelined by most of our mainstream media.

In a new film Classified, launched by ORG today, we expose the failure of the Government to oversee the agencies that are scooping up massive amounts of our personal data in the name of national security. MPs, including Dominic Raab, David Davis, Julian Huppert and Tom Watson, admit that they didn't know about the extent of mass surveillance until The Guardian published Snowden's revelations. As the leader of the Green party Natalie Bennet points out, when democratically elected people, "who are supposed to control our security services didn't is extremely disturbing". (Download the torrent here)

Our film shows that those charged with holding the agencies to account do not appear to have the knowledge and expertise to do their job properly. We need a proper inquiry and new legislation that will protect our rights and ensure that there is both judicial and political oversight of surveillance.

One year on, it's still not too late to demand change. MPs tell us that the best way to get their attention is constituents telling them in their own words why they care about an issue, so please help us by signing the Don't Spy on Us petition and then writing a brief email to your MP.

[Read more]

June 04, 2014 | Ruth Coustick-Deal

Big announcement: Strengthening ORG’s legal work

Our new Legal Director started this week and she is about to begin a series of new legal actions to defend your privacy and free speech.

ORG’s first full time Legal Director started work this week. ORG is extremely grateful for the generous help of its supporters, who have made this new role possible. ORG sought new members and funding through its #ORGLawFund campaign. Thanks to the commitment of old and new supporters we reached a total of 2100 supporters this year, which allowed us to hire a Legal Director to work full time.

In this post our new Legal Director, Elizabeth Knight, discusses ORG’s upcoming legal work:

"I am delighted to be starting as ORG’s new Legal Director. I’m looking forward to working for such a dynamic organisation, and helping with ORG's vitally important and high profile work. I hope that having a full time Legal Director will allow ORG to increase its impact through litigation and bring legal expertise to its already strong policy work.

A bit about me: I'm a solicitor. I have experience of working for NGOs, as well as in the city and for the Government. Most recently I spent four months at Amnesty International where I authored a major advocacy document and worked on issues around surveillance. I hold a Masters degree in Human Rights. I have undertaken an internship at the UN, working on international law and human rights. I was also awarded a pro bono fellowship by my previous firm and worked at a human rights NGO in South Africa. I practise litigation, which has included human rights, judicial review and intellectual property work.

There are a lot of exciting legal projects planned. One of the major issues I will be working on is Error 451 and copyright blocking orders.

This campaign aims to establish a transparent format for legal website blocks, including details of the legal basis, the court order and the organisation responsible for the block. There are many problems with copyright infringement court orders, including being indefinite, part private, and lacking both a complaint mechanism and any requirement that information be made available to the general public.

We intend to obtain lists of and copies of court orders, transcribe the orders and promote the Error 451 code to ISPs. This project has the potential to set best practice internationally and ORG is very enthusiastic about it. If you are interesting in volunteering to help transcribe and publish court orders please contact me as we would welcome your help!

Another major area of work in the near future is campaigning on data retention in the UK, following the striking down of the Data Retention Directive by the Court of Justice of the European Union.

In our view there is now no legal basis for data retention in the UK. Our planned approach is to ask our supporters to write to their ISP and then potentially complain to the Information Commissioner in the event that the ISP refuses to cease retaining the supporter’s data. It may also include court action. More details on this new campaign will be available shortly!

I look forward to updating you soon with news of legal developments." -Elizabeth Knight


Thank you once again to all our supporters for making this position possible. We will keep you to update with our legal actions and
If you're not already on our mailing list and would like to learn more about our work through regular updates, please sign up on our home page.


[Read more] (1 comments)

May 29, 2014 | Javier Ruiz

How will government share your data?

Today ORG attended an important meeting between government and civil society groups to discuss Data Sharing across government.

The Cabinet Office has started an early pre-consultation process looking at removing barriers to sharing or linking different databases across government departments. The rationale is that this can help Government “design and implement evidence based policy, for example to tackle social mobility, assist economic growth and prevent crime”.

Open Policy Making

This engagement is part of the new “open government” approach, where groups such as ORG, Big Brother Watch, MedConfidential and No2ID are consulted very early in the process. This means that many things under discussion may never happen and it would be pointless to air them. This is quite unique, so ORG has agreed not to disclose detailed discussions until things take more shape, in order to allow for a safe space for frank discussions. There is a public paper outlining the proposals so far in the website and we have asked for more information to be published more often, including minutes of meetings and evidence presented. The process is open to anyone, and we certainly could do with more participation from civil society groups.

Concerns about Data Sharing

After the PR disaster around the release of medical information in the programme, and more recently the sharing of tax data with private companies by HMRC, the government is acutely aware of the sensitivity of these proposals. And for good reason: connecting databases gives government officials a richer picture of an individual’s life. This is a clear interference with the right to privacy that must be shown to be necessary and proportionate.

Data sharing within government tends to be a complicated process involving lengthy legalities. Some of this friction may be unnecessary formality, but part of the friction is also a safeguard against abuses. There is a public interest in making government more efficient, but removing too many checks and balances could also remove basic protections.

Moving to an extreme sharing by default position could fundamentally transform the relationship between citizens and the state, almost as much as the introduction of a national ID card.

Some will argue that the prize is worth the risk. Underlying these proposals is an understanding that more and better data will automatically translate into better outcomes. But this is far from clear and we will be looking for detailed explanations of how exactly more data sharing will help and what exact changes are needed. The ideas considered so far include both new legislation and practical measures. New laws should only come into place when it's clear that the problem cannot be solved by simpler means.

But we don’t have to support the status quo either. From what we’ve heard so far, data sharing can clearly be improved. The whole thing is perceived as arcane by public employees who have not been trained on how data protection works. Nobody in government knows how many data sharing agreements there are in place, and streamlining the process could allow for more transparency and consistency. It could even lead to less data being shared but used more efficiently.

Data sharing should be based on a general principle of consent. This should be individual informed lawful consent if possible and applicable to the case, which clearly is not in areas such as taxes and criminal justice. Other cases will require a social consent, much like policing in the UK is based on consent. But this is complicated. Perceptions of privacy are context dependant. We must be careful not to assume that a willingness to share personal details in social media automatically translates into lower concerns about sharing of data on tax, health, education or social security. Privacy is also heavily dependant on exposure and direct experiences, such as media scandal or a close relative suffering identity theft. So what appears to be ok today may cause outrage tomorrow

Government Proposals for Data Sharing

There are three main strands covered by the current proposals, all the information is at

1. Research and statistics

This strand brings together two distinct proposals that relate to existing policy development elsewhere:

Office for National Statistics (ONS) to access more data from public authorities

There has been a long consultation on the future of the census, which has recommended an end to the paper questionnaires, with a predominantly online census from 2021 supplemented by further use of administrative and survey data.

ONS would be receiving more data held by other parts of Government. The Statistics and Registration Services Act 2007 could be amended to authorise the disclosure of information held by public authorities to ONS for statistical purposes. The Cabinet Office argues that “information from HMRC, for example, could allow ONS to improve the quality and speed of estimates of GDP”.

Sharing of de- identified data for research

In many cases, research on Government and public body data is limited to the analysis of single data sets. A report by the Administrative Data Taskforce Improving Access for Research and Policy recommended a model of data sharing that allowed for cross-linked research on de-identified data.

The government has presented several examples where such research could be useful:

“identifying pathways to success, and barriers to social mobility by linking data on education, employment status and income. Improve energy efficiency and save citizens money by linking data on energy use with property data; Help deliver targeted crime prevention strategies.”

Improving evidence based policy and national statistics are worthy goals, but there should be proper safeguards against re-identification and a guarantee that any sharing will ultimately benefit the public.

Something we have learnt from the recent data sharing scandals is that taxpayers and users of the NHS don’t necessarily care about the technical details of how their identities are protected. They are angry about commercial entities profiting from their personal data - even if de-identified - and worried about negative consequences, such as hikes in insurance premiums.

Current proposals will need to address these very real concerns, which may fall outside the remit of privacy legislation. For example, using statistical data for targeted crime prevention strategies could easily turn into unfair profiling of sectors of the population, even if no individual is ever identified.

2. Tailored public services

The heading of “tailored services” is slightly confusing, as it would appear to relate to the delivery of personalised services to individuals already in receipt of benefits. But our understanding is that it includes mixing datasets to identify and refine target groups. This has completely different privacy implications.

The Cabinet Office defines the proposals very broadly new “powers to allow organisations to share data around specific groups of citizens who use multiple public services for the purposes of improving their health, education and employment”.

Examples presented by government include:

Data sharing between departments and local authorities to target energy efficiency measures and fuel poverty grants, reducing mortality rates and hospital admissions amongst vulnerable groups; Better identification of families requiring more assistance and targeting of services and support, reducing costs to government and delivering better outcomes for those most in need.

The idea is to create a framework for new data sharing channels that are flexible and broad enough to survive specific policy initiatives but narrow enough to be clearly focused on specific outcomes. But each new data sharing channel would still need to comply with data protection, so this flexibility should be limited.

For now we are exploring what a generic new instrument for data sharing would look like, and are trying to understand what are the existing frameworks and obstacles to sharing. Ultimately, the intrusiveness of a specific sharing arrangement will depend on the exact datasets and access involved in each proposal. This makes it very difficult to discuss a generic new "power" for data sharing.

The government is exploring safeguards with civil society, including “transparency of data shares so that the public are fully informed of the process”. But this is not enough. Transparency is important, and for ORG one of the best outcomes of this process would be clearer processes and some form of register of data sharing. But transparency is no substitute for protection against harms in the first place. In some cases, not sharing may be the best safeguard.

In our meetings we are also finding that many of the problems with data may not be directly related too a lack of sharing, but to implementation and use of data. For example, we heard complaints about file formats that could no be opened without specialist software. In other cases where sharing is an issue, we have heard complaints that the law in itself is not the problem. Clashes in the culture of departments and refusals to implement what is already legally available seem important issues that could be solved without creating a new "data sharing legal power".

There are many open questions on which agencies would be covered, and proposals need to be analysed individually to ensure that there is a need or benefit in data sharing. For some people, concerns about stigmatisation and potential profiling may not compensate any benefits that they would get by being included in a program. These people should have the choice not to be part of the process. This has been happening with free school meals, where many parents  of eligible children prefer not to tell the schools.

By focusing on public services we are generally dealing with vulnerable groups. We have to be careful to avoid paternalistic attitudes that create a two tier system where some citizens have lower privacy protections than other based on socio-economic circumstances.

3. Fraud, error and debt (FED)

The government believes that data sharing would dramatically reduce the estimated £37 billion lost to FED each year. They describe the status quo as “an inconsistent patchwork quilt of legislation that is difficult and time-consuming to navigate”.

The idea is that new “permissive gateways” would allow for any new datasets need to be shared, but limit the organisations involved and purposes. This will have to include DWP and HMRC at least, but the idea seems to be quite a flexible and very ambitious system where

“any public authority or organisation providing services of a public nature on behalf of a public organisation could apply to join the lists of those who can share data for these purposes. The addition would be made by secondary legislation.”

Everyone has to contribute their fair share to the public finances, but these proposals have clear and huge privacy implications. We would hope to see well develop evidence of benefits to justify such intrusive system, and so far we have only seen projections of huge savings from limited pilot studies by the Cabinet Office’s FED Task Force.

We need to decide what level of FED, with a corresponding level of intrusion, we as a society are prepared to accept. Making FED completely disappear is virtually impossible without creating a totalitarian dystopia. Besides, a lot of tax money appears to be lost to legal avoidance schemes by companies and high net worth individuals. It is unclear how much these would be affected by a rewrite of the privacy rule book for ordinary citizens.

These proposals could have popular appeal. It is increasingly socially unacceptable to abuse social security benefits, although a lot less so to avoid paying the right amount of tax. But in any case, it is unclear how targeted this data sharing would be. It is very possible that the personal data of large groups of the population would be shared and processed to find out the minority of people defaulting the exchequer.

The special case of HMRC

Many of the above proposals involve data sharing from HMRC, and we believe that this should be dealt with separately. There is clear social concern after The Guardian published an article alerting of proposed changes to HMRC's statutes that allegedly would allow them to sell data to commercial companies. More than 300,000 people have signed petitions by ORG, 38 Degrees and SumofUs asking HMRC to reconsider.

While other ministries can share data under common law powers, HMRC is unique in its legal constraints to protect taxpayer confidentiality, as explained in their consultation documents for the proposed changes:

HMRC was created by the Commissioners for Revenue and Customs Act 2005 (CRCA). This legislation provides strong protection for the information that HMRC holds. HMRC officials are prohibited from sharing information except in the limited circumstances set out in the CRCA. This legislation enshrines the core principle of what is often described as ‘taxpayer confidentiality’.

The CRCA prohibition on disclosure applies to all of HMRC’s information including non-identifying (general, aggregate or anonymised) information as well as information on identifiable individuals or legal entities. As a result, it is arguable that for non-identifying information the current disclosure restrictions afford more protection than is necessary.

These fundamental changes should be properly discussed against concerns that private companies will access taxpayers’ data.

There could be some good reasons to share more HMRC data, for example aggregated postcodes of home and workplace of employees could be used to improve transport planning. And the gender pay gap is a lot smaller in Scandinavia where tax information is available. But it is not clear that all data sharing will have a public benefit. Selling such unique data to credit agencies and other big institutions will only entrench the asymmetry of information against citizens.

We need more people to help shape data sharing

ORG are coming into the process with an open mind and trying to influence the outcomes. We would love to be able to say that we helped create sensible proposals, but we will never endorse something that goes against our principles.

The pre-consultation process is open to anyone with an interest. At present this is largely civil society organisations, mainly focused on privacy, but we would encourage more people to join in. It would be particularly useful to have more participation from groups and individuals directly affected or working with the target groups - vulnerable families, NEETs, ex-offenders; experts in taxes and fraud, etc. Privacy advocates normally lack the detailed knowledge of these domains.

The meeting today marks the end of the initial round of the open policy making process. We will be discussing the results so far and our next steps as soon as the notes are published in the Data Sharing website.

[Read more]