call +44 20 7096 1079

Blog


November 07, 2013 | Ruth Coustick-Deal

Donate to stop surveillance

ORG has launched a new campaign to fund next year's fight against Internet surveillance.

Right now we're asking for new supporters to help us grow so we can take on what may be the biggest threat to liberty of this generation.

You can help by joining ORG now

ORG have to work very fast to challenge the silence of the press and politicians.

There have been clusters of stories released by the Guardian showing that the UK's intelligence agency GCHQ routinely collects everybody's online data.

We've learnt that they can do this without specific warrants and with little oversight. We've heard that they share that intelligence with foreign security agencies, and they enable foreign agencies to snoop on us.

But, the Government have stifled the discussion by defending their own bad practices and attacking and questioning the free press.

To make this an election issue that everyone's talking about, we need to change tactics.

This is why we are asking for you to take this opportunity to join ORG. If you have any concerns about the erosion of your civil liberties online, ORG is best placed to fight for real change. We've already joined Big Brother Watch and English PEN to launch a European legal challenge against the UK Government in Strasbourg, but there's so much more to do.

So what do we want to achieve?

There are a number of projects that we we'd love to do to, but we need your support to make them possible.

-Bring computer security specialist Bruce Schneier to the UK to share his expertise with Parliament and help educate MPs

-Keep surveillance on the front pages and generate new stories to make sure everyone's talking about the surveillance scandal

-Produce a report into the impacts of PRISM and Tempora on UK businesses

-Support cryptoparties around the country to educate people about keeping their online activity private

-Run an MP Lobby Day to mass petition parliament for change

-Persuade other campaign groups that defending privacy should be part of their mission

You can help!

 

[Read more] (1 comments)


November 06, 2013 | Ruth Coustick-Deal

Friend Sign-up Scheme Tips

If you're a supporter of Open Rights Group, can you help boost our strength to fight the biggest battle against surveillance yet?

The surveillance debate is at a critical moment and you can help.

I'm an ORG supporter badge long

As part of our drive to hit our significant goal of 2000 supporters – and to let us do a whole host of work defending privacy over the next years, we'd like you to help us recruit new supporters to fight alongside us. By explaining how important the current surveillance debate and the leaks are, we hope your friends will want to join up to ORG to help fight intrusive and over-reaching snooping.

Who can I ask to join?

The best way to help us increase our membership and get your sign-up rewards is to find a friend who you know should be a member of ORG. Maybe a friend who:

  • Voices fears about all the data companies like Facebook know about them

  • Is worried about Government surveillance

  • Has been sharing links on their Twitter account about the Snowden revelations

  • Is interested in preserving freedom of speech for minority groups

  • Is passionate about social justice and human rights work.

What are the key reasons to join ORG?

ORG are a small organisation. We’ve achieved a great deal with the resources that we have, but without expanding our staff and our funding we won’t be able to expand our remit and achieve all of the above.

If you're struggling to seal the deal and convince someone to become an ORG supporter, maybe these 3 points will help make up their mind.

1. Surveillance threatens both the right to a private life and the right to freedom of speech. This is fight is the biggest threat we've seen and ORG is the best equipped to fight it.

2. ORG have made real change on copyright, parody, open source, open data, privacy, free speech, e-voting and DRM. Joining ORG doesn't just help turn back the tide on surveillance culture, it's a long-term investment in your rights online.

3. Being a supporter gives you lots of benefits, like discounted tickets to all our events, a free gift in our welcome pack and chances to influence our policy and the digital debate for years to come.

What's actually happening?

This summer we learned that the UK's intelligence agency GCHQ routinely collects everybody's online data. They can do this without specific warrants, with little oversight, and there has been little debate about the scope of their power.

Tempora

Tempora is a UK GCHQ (Government Communications Headquarters) programme that stores all data flowing through UK fibre optic cables so that it can be analysed by GCHQ staff. The Tempora programme allows for collection of what sites people visit, search terms used and social media posts.

PRISM

PRISM refers to a US NSA (National Security Agency) operation begun in 2007 to collect private information belonging to users of major US internet companies such as Microsoft, Google, and Yahoo. The leaks by Snowden suggest that the NSA has direct access to the servers of these companies.

There's also a handy guide on the Verge which helps explain what's going on and what all these other acronyms floating around mean.

Why does surveillance matter to everyone?

The quiet state of surveillance silences everyone. Confidentially is a serious matter. People who are under surveilllance are afraid to speak or act openly. If someone thinks their movements are being recorded, they might not want to:

-book into a women's shelter

-carry out their investigative journalism

-talk about their sexuality openly on a private forum

-plan a demonstration.

The surveillance revelations are incredibly serious and have a chilling effect.

It's not just our security services who have access to this data, it's agencies and private contracters across the world.

With that many people watching and recording it is inevitable that we will start to censor ourselves, clarifying, altering and avoiding controvosy - and freedom of speech is lost.

What can ORG do, when the threats seems so big?

We have alread launched a legal challenge alongside English PEN and Big Brother Watch to take the Government to Strasbourg on human rights grounds. We have responded to President Obama's review board of the NSA and we have been speaking to the media constantly to raise awareness privacy rights.

Privacy not Prism banner

We also took on and defeated the Snoopers' Charter, a proposal for mass surveillance legislation, after a 2-year campaign, co-ordinating with a huge group of civil liberties organisations.

We have the knowledge and skills to take this challenge on, but there are some big tasks we need to be able to take on to win.

ORG wants to be able to:

-Bring Bruce Schneier to the UK to share his expertise with Parliament, give evidence to the Intelligence and Security Committee inquiry.

-Produce a report into the impacts of PRISM and Tempora on UK businesses

-Bring the issue back to page one of the papers, having the time to do more media work.

-Organise and assist cryptoparties around the country and educate people about privacy

-Run an MP Lobby Day to mass petition parliament for change

-Persuade other campaign groups that defending privacy should be part of their mission.

We're relying on ORG supporters like you to spread the word so we can meet this challenge that Edward Snowden's given us.

If they have any questions about what we do, we're happy to take the time to chat on phone or email. Anyone can join up here.

 

[Read more]


November 01, 2013 | Alexandra Stefanou

Summary of Westminster Hall surveillance debate

Yesterday saw Parliament’s first substantial debate on mass surveillance. Here, we summarise what the MPs said.

ORG Advisory Council members MPs Tom Watson and Julian Huppert as well as Conservative MP Dominic Raab called for a discussion on 'oversight of intelligence and security services', which took place in Westminster Hall. 

This debate finally provided a platform for all aspects of the debate in Britain to be discussed. You can read a transcript of the debate on Hansard, or you can watch a video of the session. The most relevant issues were:

  1. The Intelligence and Security Committee’s ability and suitability to provide oversight of the intelligence agencies
  2. The legality of RIPA and Tempora 
  3. Consensus on whether mass surveillance is occurring

1. The Intelligence and Security Committee (ISC) is the independent body charged with the oversight of the powers of the intelligence agencies. It was the committee’s ability and suitability to scrutinise the intelligence agencies’ extensive powers that caused one of the main divides in the chamber.

On one side were those who believe the ISC does not have the capacity for the oversight required because it is under-resourced. David Winnick expressed concern over the committee’s accountability and John McDonnell mentioned that there is a potential for conflicts of interest (as members of the ISC may have previously been involved with the work of the security services, for example former Foreign Secretary Malcolm Rifkind). 

On the other side (including the chair, members of the ISC and the Minister of Security) were those who believed the committee is perfectly equipped to perform the necessary oversight. Malcolm Rifkind, the chair of the ISC, explained that recent reforms have already implemented some of the changes suggested. 

A noteworthy exchange was between George Howarth (ISC member) and Tom Watson. In his statement, Mr Howarth made the assurance that the ISC had already looked into the legality of PRISM and Tempora and issued a relevant statement in July. Tom Watson then asked “was July the first time that the Committee had examined Prism, and was that after the Guardian revelations?” Followed by laughter across the room, Mr Howarth then explained that the examination came after the publications and that he was unable to disclose details of their examination. 

Eluded toward the end of the debate by Malcolm Rifkind and the Minister for Security James Brokenshire, was that much of the detail of the oversight should be withheld from the public.  In fact, when asked by Mr Meacher why the ISC did not know about the Tempora programme when it was launched, Malcom Rifkind responded that there is actually no way of knowing if the Committee knew about it prior to the Guardian publications; “We are given classified information, and the whole point of an independent Committee having access to top secret information, whatever that is, is that we do not announce what such information is”. 

This is the fundamental difference between the two sides. Tom Watson made clear to the Minister that the discussion on oversight was about scrutiny and ensuring that proper safeguards are in place when implementing new technology that is not covered by existing legislation. The Minister’s answer to this was simply, that the intelligence agencies always operate under strict policy frameworks and within the law. The problem with these responses is that they offer absolutely no answers to concerns over the reliability of the ISC as expressed by David Winnick in his statement to the debate. It seems as though we are meant to accept the law isn’t broken, just because the law exists.

Within this discussion also lies the question over what information the public is entitled to know. If not for the sake of scrutiny, should people not know if their information is being collected and stored under privacy rights granted to them in a democracy? Julian Huppert referenced this right to privacy multiple times in his opening statement.

 

2. On the question of legality, the house was roughly split between two groups. Those who believe the ISC was operating within British law (Ben Wallace and Hazel Blears both specified that Tempora complies with British law, making no reference to international agreements). This team of MPs seemed to be satisfied with the assurance that the intelligence agencies wouldn’t do anything illegal.  

Then was the group including Julian Huppert, Dominic Raab, John McDonnell and Tom Watson that called for an investigation into whether there had been a breach of law. In addition, Tom Watson and Dominic Raab called for a review of the legislation if mass surveillance was legal. Mr Watson said “If the Minister is telling us that the law permits such fundamental abuse of liberty, the law is wrong and must be changed.”

The Regulation for Investigatory Powers Act (RIPA) was referenced by both parties to support their respective arguments. According to the MPs that supported the legality of mass surveillance, the security agencies were operating in accordance with RIPA. According to the MPs that questioned mass surveillance’s legality, RIPA is extremely complicated and vague. Michael Meacher said that instead of curtailing surveillance activities, the Act facilitated them. He also said:

“RIPA is so poorly drafted—one almost wonders whether that was deliberate—and is open to such broad interpretation that it allows Government agencies such as GCHQ to do whatever they like.”

 

3. There were also MPs who didn’t believe mass surveillance is taking place. The very peculiar argument formulated sounded like this: 

First, for the sake of national security it is necessary for intelligence agencies to maintain an edge (as phrased by James Brokenshire) by having access to all this information. As Martin Horwood phrased it “if we are to find needles in a haystack, we need to allow people to look at the haystack”.

Julian Lewis then added “The question is whether we then have access to the irrelevant parts of the haystack, or legally supervised targeted access to those needles in the haystack, which can be detected as a result of modern technology. This is all about the mass collection, mass storage and interrogation of mass data so collected and stored.” 

The response to this was that intelligence agencies should continue with their surveillance and investigation, but not collect everyone’s information. As Julian Huppert said in the current situation “we are all suspects whose personal histories can be foraged through if ever there is interest in us later.”

However, the answer to this, from Malcolm Rifkind, was that in fact mass surveillance isn’t taking place at all because no human being looks at the vast majority of the information collected. 

Martin Horwood also said: “A lot is said, and a lot of allegations are made, about mass surveillance, but if it was really taking place, it would—apart from being wildly impractical—be straightforwardly illegal.” This seems to miss the point, as the precise purpose of the discussion is to find whether the mass surveillance operations are legal.

On the whole, the debate was quite useful in formulating the arguments and providing a basis for further discussion. The essential differences were that one group of MPs had the blind faith that the intelligence agencies were operating under law. This faith seemed to stem from official statements that say intelligence services always operate according to the law.

The other group of MPs were not satisfied with these statements and wanted a more stringent investigation.

To see how these arguments develop, be sure to follow the ISC’s open evidence session with the heads of intelligence agencies, next Thursday 7th November.

[Read more] (2 comments)


October 25, 2013 | Peter Bradwell

Ask your MP to join the surveillance debate

There's a debate in Parliament next Thursday about mass surveillance. We'd like you to ask your MP to take part.

The MPs Tom Watson, Julian Huppert and Dominic Raab have secured a 'Westminster Hall' debate in Parliament next Thursday, on 'oversight of intelligence and security services.'

Intelligence agencies have significant powers to collect and analyse private information. It is Parliaments' responsibility to ensure these are necessary, proportionate and that they are not abused.

We now know from Edward Snowden's leaks that GCHQ has developed a range of alarming mass surveillance programmes, for example the tapping of undersea fibre-optic cables under the codename 'Tempora'. From the information published so far, it seems clear that surveillance law is unfit for the digital age and that significant reforms are needed.

Debates about the limits of surveillance and the oversight of intelligence agencies are being held in America and across Europe.

Yet MPs here have seemed reluctant to take the initiative and discuss mass surveillance by UK intelligence services. And so far the Government have only seemed worried about whether newspapers should have told us anything about the surveillance.

It is high time a substantial debate took place in the UK too.

The debate next Thursday will be the first substantial debate in Parliament about the mass surveillance revealed by Edward Snowden. It is an opportunity to kick start our politicians into debating mass surveillance. That will give us a better chance of getting surveillance laws changed so they better respect our privacy.

You can help now.

Please get in touch with your MP and ask them to speak up about this issue. Tell them why it matters, why you'd like them to attend the debate, and why you think they should stand up for your privacy. You can use the following form:

Write to your MP

[Read more] (8 comments)


September 26, 2013 | Peter Bradwell

Culture Committee copyright report one-sided and simplistic

This morning the Culture, Media and Sport Committee published its report into how to support the creative industries. While it is a wide-ranging report, on copyright reform there is plenty to be disappointed about.

Today the Culture, Media and Sport Committee published a report called 'Supporting the creative economy.' (pdf version) Jim and I gave oral evidence to the Committee in January, and submitted written evidence last year.

Overall the Committee's report is a fairly disappointing and unimaginative piece of work. They offer a view of copyright that is too simplistic, one-sided and which effectively tries to reduce the debate to whether you like the creative industries or not. They thus ignore the wider impact of new technology on citizens as creators and participants in culture, and on how markets for cultural goods can now function most effectively. 

From our initial look over the report, here's a few of our more specific concerns and thoughts. 

 

Carelessness with privacy concerns

We were surprised to see the Committee dismiss the privacy concerns around targeted advertising, saying:

“The Advertising Association’s evidence goes on to express deep concern about draft EU Data Protection Regulation “which could damage direct marketing, internet advertising, and the UK economy both off and online”. Increasing use is being made of personal data to target online advertising better. While concerns around this have prompted reviews of data protection legislation, we do not think the targeting of appropriate advertising—essential to so many business models — represents the greatest threat to privacy.”

As far as we can tell, the Committee fail to look in any way at how targeted advertising works, how it collects information, or at the rules governing how companies can use and share our personal information. They've taken the opinions of the advertising industry as given. It's one-sided and analysis-light – which help demonstrate more general flaws with the report. 

We do not control when the gadgets and services we use leak information about us. The rules about what companies who get that data can do with it are woefully inadequate. For example, health and fitness apps on our phones or wristbands share all sorts of data about us to companies whose privacy policies can be unclear, and who face some pretty lax regulation. This is one reason so few people trust the businesses we deal with online.

The Data Protection Regulation is currently being discussed in Europe and could help give people control over their data. But there's a very real danger our rights will be ignored, due to intense lobbying from advertising and technology groups. This is despite the revelations over the summer that once data about us is shared, security services have some fairly unaccountable powers to access most if not all of it. 

The Committee appear entirely uninterested in or unaware of these important questions because a trade group for one of the industries affected told them it might damage their interests. This is an unhelpful time to be so cavalier. 

 

ORG's work and the importance of freedom of expression online

We were also surprised and rather delighted to see that the Committee acknowledges our work promoting freedom of expression online. 

As a small, independent organisation we rely on the financial support of concerned individuals. So if you are new to us and worried about Parliament's consistent failure to understand how technology should work for individuals and support our human rights and civil liberties, please consider joining

 

Bashing Hargreaves and copyright reforms

Looking at the copyright reforms kicked off by the Hargreaves Review in 2011, the Committee say:

“Following all the evidence we have received, we think Hargreaves is wrong in the benefits his report claims for his recommended changes to UK copyright law. We regret that the Hargreaves report adopts a significantly low standard in relation to the need for objective evidence in determining copyright policy. We do not consider Professor Hargreaves has adequately assessed the dangers of putting the established system of copyright at risk for no obvious benefit.”

This conclusion is unfair and somewhat inaccurate. First of all, it seems to focus on the Hargreaves report itself, which is to ignore the work that has gone into the implementation of the report's recommendations since, including the reviews and oversight that have gone alongside that work. For instance, the Committee don't mention the BIS Committee Review into this very issue last year, which concluded something very different:

“A considerable amount of high-quality work on policy development has been undertaken in the year since the Hargreaves Review. It will be important to maintain that momentum alongside the more rigorous approach to policy formation that Hargreaves recommended. Conclusions are near to formation in many areas, and the Government should press ahead with measures to implement new policy in those areas as soon as possible. We recommend that the Department act swiftly to bring in legislation to that effect.

169. While we recognise that the Government is undertaking a major reform in a complex area, changes are both necessary and urgent.”

and 

We welcome the Intellectual Property Office’s reassurances that more detailed analysis is on-going and trust that it will pursue that work and act on external criticism of data and methodologies. We also agree that the involvement of the Regulatory Policy Committee as an independent auditor of economic analysis is a sensible policy development.”

The BIS Committee mention the Regulatory Policy Committee (RPC). Their remit is to provide independent advice to Government on the quality of analysis supporting new regulations.  The RPC members include Ian Peters, the Chief Executive of the Institute of Internal Auditors and Jeremy Mayhew, chair of the Audit & Risk Management Committee as a non-party Common Councilman on the City of London Corporation. 

The RPC have reviewed a number of the proposals for exceptions, giving a 'green' status to the copyright exceptions for private copying, parody, archiving and preservation, for disabled people, for text and data analytics, and exceptions for educational use. 'Green' means the Committee “have no significant concerns with the quality of analysis and evidence presented. We make suggestions where we think the IA could be improved to deliver greater clarity or to aid understanding. A Green rating means we judge the IA to be ‘fit for purpose’.”

The work of the RPC, as far as I can spot, is mentioned zero times in the CMS Committee report. 

The reforms proposed by Professor Hargreaves and now being implemented by the Government, which are roundly criticised in this report, are actually modest and long overdue. A number of independent reports have recommended similar steps. That includes the Gowers Review in 2006, which came to strikingly similar conclusions. The recommendations for new copyright exceptions made in that review were never followed up. 

Richard Hooper CBE, who with Ros Lynch ran the recent work looking at the feasibility of a copyright licensing Hub, said in his oral evidence to the Committee that the reforms were reasonable and the Government should get on with implementing them:

What I would say to this Committee is we have had five years of to-ing and fro-ing on the issue, and if this Committee can get the laws sorted out, get it done, then we can start focusing on the really important issues, otherwise a huge amount of energy and time and lobbying is going to be spent on this for the next five years.

I think that the Government has come up with, by and large, very sensible recommendations on orphan works, extended collective licensing, codes of conduct for collecting societies and exceptions.

He repeated such thoughts in a speech to the London Book Fair, in which he said:

We have spent years first with the Gowers Review and then the Hargreaves Review discussing and debating changes to copyright law. The current proposals are broadly sensible, with the exceptions not being too widely drawn."

 

So the new proposals have been repeatedly exposed to consultation and review. They are modest, narrowly drawn and address some clearly defined needs. The Government should ignore this distraction and continue with their implementation.

 

The Digital Economy Act

There is a welcome acknowledgement that the Digital Economy Act suffered from a lack of debate in Parliament and was rushed through.  We also welcome the concerns that the Committee recognises the problems with public wifi, although they offer no solution or recommendations on how to do this.

Here's what they say:

"The delays in implementing the DEA are thus by no means all attributable to the Government: the legal action by BT and TalkTalk certainly contributed. As, perhaps, did the haste with which the presaging Bill was originally rushed through Parliament with relatively little debate in the House of Commons. We acknowledge that the DEA has its limitations; for example it is not applicable to mobile devices and there needs to be greater clarity over the situation of public Wi-Fi. We recognise, too, that effective enforcement of copyright is likely to focus more on targeting illegal activities on a commercial scale—on “following the money.”

It's a shame that the Committee still have faith that the Act is worth pursuing, and it's a shame that the Committee support the possible voluntary arrangements for a new three strikes regime. That is to ignore all the important questions about standards of evidence against alleged infringers, data protection and rights of appeal that led the Digital Economy Act itself into such trouble. 

 

Ignoring what's already being done to provide good evidence

It is also unfortunate that having stated again that objective evidence is important, the Committee fail to mention any of Ofcom's work researching copyright infringement and who those that claim to infringe are. It tells us lots if interesting things, such as those who say they infringe copyright also say they spend the most on legal content. This is despite ORG mentioning the Ofcom research in our oral evidence to the Committee. 

Incidentally this was paid for by the IPO, who the Committee claim are on some anti-copyright crusade. 

Somewhat bizarrely, the Committee call for the IPO to include more research into piracy in its annual report. The recent Ofcom research was their last in a series of reports, which has ended because the money from the IPO has run out. Having praised the effort to produce useful numbers, nobody at the launch event could offer solutions to how the research would continue and where funding would come from. The Committee could have looked at how to encourage and get funding for independent, robust evidence. But they did not do this, or seem aware that Ofcom have been doing such research and that it was funded by the IPO.

The report also fails to mention research into the effectiveness of three-strikes regimes, the most recent of which concluded that there "is little to no evidence that graduated responses are either 'successful' or 'effective'." 

'Robust evidence-based policy' seems to basically have come to mean 'evidence I agree with and which helps support the conclusions I have already arrived at'. 

[Read more] (2 comments)


September 20, 2013 | Jim Killock

Say no to the Nomitax!

This coming Monday, Nominet's consultation on a .uk domain ends. We are asking everyone to respond and say 'no'.

Nominet were told to stop creating new second level domains (like .co.uk or .me.uk) because they are a monopoly, and instead an independent consultative group decides when new .uk domains are needed. This group also decides who controls them, to avoid Nominet simply inventing new new second level domains (SLDs). This is important, as many people want to own all the domains potentially associated with their personal or company name. Only really new and non-confusing SLDs should be added, so that this problem is avoided.

Nominet have circumvented this attempt to stop them printing money and demanding new registrations from UK domain owners, by asking to allow anyone to own a top level .uk domain. This means you will now be faced with registering not just mydomain.co.uk and mydomain.org.uk but also, if you want to control the name, mydomain.uk – resulting in a windfall for the cash-rich Nominet, but plenty of problems for everyone else.

For instance, in the future, how will you know if someuniversity.uk is a real Univeristy, or just another commercial outfit posing as an HE estblishment? Will thelawcommission.uk be a government body, or a private entity?

Aside from this confusion, Nominet's consultation makes an extraordinary attempt to argue that it needs more cash because it operates in the public interest, so more cash means more public interest activities for the public.

This is the standard argument for a tax, not a new round of domain registrations. Nominet are not entitled to make such a tautologous argument, their public purpose is to provide a secure and trusted domain registry service.

If their new registry policy does not serve that – and they don't manage to argue that it does – then they cannot simply say that more cash for Nominet is a great reason to charge UK domain owners for new domains.

You can respond using their online form. You can also read their full consultation page and our response.

Say no to the Nomitax!

[Read more] (2 comments)


September 06, 2013 | Jim Killock

The security services are stripping us of basic Internet security

The latest revelations from the Guardian give good evidence of why they have recently been the target of government harassment, and also why this is entirely unjustified.

NSATheir reports of NSA and GCHQ attacks on fundamental Internet security really matter. These are the basics of trust on the Internet; they are the reason you trust your bank, your credit card payments or Virtual Private Networks not to leak this information to criminals, blackmailers or governments.

Thus the real impact will not just be about security, it is about economics.

Of course we all expect for NSA/GCHQ to try to break encryption systems from time to time, it's their job. The problems arise when they make us all vulnerable as a result.

From the Guardian article, it appears they use threats and secret orders given to commercial companies to insert backdoors that must now undermine our trust in very common software products. They covertly insert vulnerabilities that weaken security of technical systems for everyone, not just their targets.

The idea that this won't be abused by yet unknown parties can only be naïve optimism, plain stupidity or complete disregard for anything other than the NSA and GCHQ's mission.

How it works

This isn't about breaking the maths - at least not usually - it's about exploiting the 'joins' between the pieces of software, introducing flaws in the implementation of cryptology, and more general 'backdoors' to the communications, which don't rely on the cryptology. Schneier gives some good examples.

Basically, the NSA asks companies to subtly change their products in undetectable ways: making the random number generator less random, leaking the key somehow, adding a common exponent to a public-key exchange protocol, and so on. If the back door is discovered, it's explained away as a mistake

The agencies seem to be doing this directly with companies and standards bodies, on a very wide basis. Many of the exploits are better thought of as exploiting software vulnerabilities.

Thus their strategy relies on people trusting big companies, or not paying attention to the work of standards bodies choosing security protocols.

However, the focus on what cryptographic weaponry the NSA and GCHQ might have in their toolchest risks distracting from the far more pressing problem of poor operating system and application security. When it is possible for teenagers to own botnets containing hundreds of thousands of compromised machines, why would spy agencies waster their time and effort on the hard problem of attacking cryptographic protocols? It is far easier to simply take control of their targets' computers. All the crypto in the world will not save you if there's a virus on your machine - and one thing we know for sure is that it is very easy to attack most computers. No speculation about esoteric mathematics is required to see the truth of that. As Snowden says:

"Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it."

The weak point the agencies in practice seem to be using is software security, rather than crypto.

What this means: Economic and rights implications

Vulnerabilities and backdoors are open to anyone, potentially, to exploit. While the NSA and GCHQ may benefit, other foreign intelligence or criminal gangs could use some of the same exploits. For instance, VPN technology is relied on by businesses for security.

This pushes the whole policy outside of the realm of national security and into economics and competition, with important consequences for the UK government, given its role in the affair.

As long as the NSA/GCHQ surveillance scandal remained within the framework of national security, EU rules would make it the exclusive competency of member states. The UK could tell the European Commission to back off.

But given the clear economic implications for the wellbeing of millions of European citizens, it will be hard to argue that this remains a UK issue. We will have to push hard to get the EU to acknowledge this when so many of the member states are complicit. The others are not necessarily critical, either. Only the economic consequences are likely to help us make the EU take this up and investigate.

Our rights to privacy are important for many reasons, including as a back up to free speech. They are a bulwark against abuses of the state and a means to retain our personal freedom on a day to day level. But we know at times they can be compromised, for reasons of state security. Programmes like these, however, take matters even further than mass data collection, as they compromise our rights in a pervasive way without knowing who exactly might wish to remove our privacy and security. It is both a massive overstepping of government power, and simply irresponsible.

What we can do about it

Standards bodies seem to be one place where the security services have deliberately tried to introduce vulnerabilities. The Guardian say:

[a} secret document …shows the agency worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in 2006. "Eventually, NSA became the sole editor," the document states.

In the USA, according to Pro Publica the NSA Commercial Solutions Center invites vendors to submit their software for assessment, but this in fact seems to be a mechanism to compromise their products.

Even agency programs ostensibly intended to guard American communications are sometimes used to weaken protections. The N.S.A.’s Commercial Solutions Center, for instance, invites the makers of encryption technologies to present their products and services to the agency with the goal of improving American cybersecurity. But a top-secret N.S.A. document suggests that the agency’s hacking division uses that same program to develop and “leverage sensitive, cooperative relationships with specific industry partners” to insert vulnerabilities into Internet security products.

There is a clear conflict of interests in allowing intelligence services to specify other people's security standards.

In the UK, the Communications-Electronics Security Group (CESG) approves communications technologies for government or people contracting to them. They are a civil arm of GCHQ: the rationale previously being that they should know about security. Their website lists several commercial certification products. Some of these are geared to companies trying to sell to government, but others are about simply giving approval to technologies and processes.

We have a simple question to CESG: have CESG approved any product that is known to be compromised by GCHQ or the NSA? And if they have, why should anyone take their security approvals seriously in the future?

They need to be made into fully transparent, public interest bodies that run independently of the security agencies, and perhaps government. Information Assurance and signals intelligence simply cannot be associated roles.

For yourself, use Open Source security technologies: if you can't read the code, you don't know how the software might actually operate. If the code is open, then it can be reviewed - if not by you, then by people you trust. Use transparent and interoperable encryption wherever you can, as Schneier recommends, to make it as hard as possible for the security services.

[Read more] (3 comments)


September 05, 2013 | Jim Killock

Nudge censorship: questions for ISPs and government

Back on 18 June, Maria Miller MP brought Internet companies to her office to talk about what can be done about various types of undesirable, offensive, adult or illegal online content.

d Vaizey, cc-by Policy ExhchangeA few weeks earlier, she wrote to some of these companies to shake them down, asking what money they could promise for an education campaign that nobody had specified, discussed or designed. 

Behind this was the Prime Minister David Cameron's wish to announce something in a forthcoming statement.

We all know about that statement; in it he announced Nudge Censorship plans and that all the major Internet companies are going to install network level filtering.

At the time that Maria Miller was meeting Internet companies, we wrote with Index on Censorship, Big Brother Watch and English PEN to insist that civil society organisations be involved in discussions about any kind of censorship – including nudge censorship. This is because the impact on free expression of unintended censorship is there whatever the original intent. Our concern is about content that is legal and that the government should not restrict.

These problems are of course much worse with the proposed "adult filtering". As we know, the categories of content will be extremely wide.

However, Maria Miller did not invite us to those meetings. At the time we heard that they were very heated, and dominated by Claire Perry MP, who works as advisor on these issues to David Cameron. As we know, she thinks problems with false positives are "a load of cock", which rather emphasises the need for groups like ours to be present to ask the difficult questions.

As the government had seemingly failed to look at the difficult issues, we sent twenty questions about implementation to the major Internet Service Providers. They concentrate on privacy, liability for mistakes, correction of mistakes, transparency for website owners, the set up process and what precisely is filtered other than http (normal website) traffic.

We asked the ISPs to provide us with answers last month. They have all promised us responses. We haven’t received any yet. BT say they will give us an answer today, we expect Virgin and TalkTalk's shortly and we are waiting to meet with Sky to discuss their answers.

Today we are meeting with Ed Vaizey MP, the Minister at DCMS responsible for the Internet, to discuss these issues. That meeting is today: we will ask Ed’s officials whether they have considered any of the questions we have asked and explain why they are so important

[Read more]


google plusdeliciousdiggfacebookgooglelinkedinstumbleupontwitteremail