December 14, 2007 | Becky Hogge

Write to your MP today: stop the Government's privacy timebomb

On Monday next week Kieron Poynter of PricewaterhouseCoopers will publish his report into the failures that led to HM Revenue and Customs (HMRC) losing 25 million confidential records about UK citizens claiming child benefit. The HMRC fiasco, and privacy debacles before and since, demonstrate a public sector culture of complete disregard for the privacy and security of individuals in the UK.

There will be a Ministerial statement about the Poynter Review in the House of Commons on Monday afternoon. If you haven't already, please write to your MP today and ask her or him to put your concerns to policy-makers during this session. This culture of disregard for personal privacy combined with the Government's continued belief in the aggregation and sharing of vast amounts of personal data across agencies is a privacy timebomb.

If you're unsure how to write an effective missive to your MP, then read the ORG wiki's handy guide. What follow are some key points and requests to put to your MP for you to choose from - click on the links for further ideas and resources.

You could also ask your MP to sign the Early Day Motion proposed by Annette Brooke MP which calls upon the Government to reconsider its decision to proceed with the children's database ContactPoint.

A culture of disregard

Discgate was not an isolated incident. Seven months before the DVDs went missing, HMRC had already established a practice of recording sensitive data onto DVDs, secured only with a password and dispatched via internal mail. Emails sent back and forth about this debacle, the largest ever data breach to hit the UK, cite cost as the reason given for not filtering personal details out of the data. But how much is your privacy worth to you?

This is not just about the HMRC. The ORG wiki's log of UK privacy debacles has been struggling to keep up with the public sector bodies who have been queuing up to admit data breaches since the HMRC announcement. The HMRC data breach may be the biggest but it was not the first and it will not be the last.

If you're MP is wondering why a junior employee was able to download the information to CDs in the first place, then they're in good company:

"I would question whether anybody should be allowed to download an entire database of this scale without going through the most rigorous pre-authorisation checks."

"It was a really shocking example of loss of security."

Information Commissioner Richard Thomas

"How you can have a system which allows you to copy a whole database onto a disk is of concern,"

"Clearly there are issues about when the data was accessed and by whom. They should have had access controls and authorisation levels to make it physically impossible to burn a disc off the database without the say-so of the chairman of HMRC. Why isn't the technology there to do that? It isn't rocket science."

Assistant Information Commissioner Jonathan Bamford

The Information Commissioner described the HMRC breach as "the worst the ICO has encountered" and said it called into question the security of the entire system of data sharing in government. He called for a review of the national identity register, a call which echoes a marked shift in public opinion on ID cards, and a recommendation for more debate about ID cards from thinktank Demos, who concluded a year-long study of data-sharing last week. The Government's data minister, Michael Wills MP, has said that plans for the national ID register need looking at again. Ask that your MP pressures the government to re-examine the flawed National Identity Register.

On 27 November, children's Minister Kevin Brennan announced an independent assessment of the security procedures surrounding ContactPoint, to be conducted by Deloitte. An Early Day Motion asking Government to go further, and consider recommendations to scrap the idea, is currently collecting signatures: please encourage your MP to sign.

The fairytale of biometrics

For people in technology, one of the most worrying developments since this crisis has been ministers' using it as an excuse to push for solutions based around biometrics, solutions that would actually increase the privacy risks we are exposed to. Six leading academics (including two Open Rights Group Advisory Council members) recently wrote to the Parliamentary Joint Committee on Human Rights to express their dismay at how biometrics are seen as a magic fix for improving security:

"These assertions are based on a fairy-tale view of the capabilities of the technology and in addition, only deal with one aspect of the problems that this type of data breach causes. ... Furthermore, biometric checks at the time of usage do not of themselves make any difference whatsoever to the possibility of the type of disaster that has just occurred at HMRC. This type of data leakage, which occurs regularly across Government, will continue to occur until there is a radical change in the culture both of system designer and system users. The safety, security and privacy of personal data has to become the primary requirement in the design, implementation, operation and auditing of systems of this kind."

Professor Ross Anderson, Security Engineering, University of Cambridge
Dr Richard Clayton, University of Cambridge Computer Laboratory
Dr Ian Brown, Oxford Internet Institute, University of Oxford
Dr Brian Gladman, Ministry of Defence and NATO (retired)
Professor Angela Sasse, Department of Computer Science, University College London
Professor Martyn Thomas, CBE FREng, Software Engineering, University of Oxford

These technologies are unproven and will not be ready for commercial deployment for another 15 years. Ask your MP to encourage the Government to listen to the facts on biometrics.

Brushing aside expert advice

Unfortunately, the skills and knowledge necessary for successfully procuring, managing and securing computer systems are not commonly possessed by Government Ministers or senior managers in the civil service. This might not be such a problem, were the Government to listen to the advice that has been readily offered by expert groups during the quest towards Transformational Government, and their warnings about giving thousands of people access to large, centralised databases. But then, why should it, when apparently it doesn't even listen to warnings from its own internal auditors?

"Again and again and again these warnings have been made in different contexts by expert groups and the Government has not been interested."

Professor Ross Anderson

We are living in an age where systems dealing with our identity must be designed from the bottom up not to leak information in spite of being breached. Perhaps I should say, "redesigned from the bottom up", because today’s systems rarely meet the bar. ... There is no need to store all of society’s dynamite in one place, and no need to run the risk of the collosal explosion that an error in procedure might produce.

Britain’s HMRC Identity Chernobyl - Kim Cameron (Microsoft's Chief Architect of Identity)

Ask your MP to encourage the Government to heed the warnings of these and other experts.

Together, we can stop the Government's privacy timebomb. If you haven't got time to write to your MP today, please write on the weekend. The more missives MPs receive on Monday morning, the more they will recognise the public mood on this issue, and the more likely they will be to raise their objections in Parliament on Monday afternoon.

[Read more] (1 comments)

December 12, 2007 | Michael Holloway

ORG Christmas Party - now with added CC birthday celebrations

Creative Commons (CC) celebrates its fifth birthday this weekend with a series of local celebrations across the globe, including Beijing, Berlin, San Francisco and Seoul. If you're part of the worldwide CC Community, follow this link for details of all the different parties. And if you're not yet aware of CC's excellent and thoroughly open projects, from their suite of 'some rights reserved' licences to the remix-community-incubator ccMixter, then be sure to get familiar.

ORG's invitation to join the party arrived a little late but luckily we already had a party planned for this weekend. So we'll join in the celebrations by raising a toast and a slice of cake to legal and creative sharing at our christmas party, which is this Saturday 15 December. If you're a part of the CC community please come down and join our bash. The event is hosted by BBC Backstage and we have a whole heap of fun planned for our guests, including a very special revival of Cory Doctorow's Copyfighters.

Here's all the details, including instructions for signing up:

Where? Ye Olde Cock Tavern, 22 Fleet Street, London EC4Y 1AA When? 19.30 - 02:00, Saturday 15 December 2007 Tickets: via Eventwax - click here to register Any questions? Phone +44 (0)20 7096 1079 or email info at openrightsgroup dot org.

[Read more]

December 06, 2007 | Becky Hogge

Happy birthday Gowers - but where are our reforms?

A year ago today, the Gowers Review was released to the public. The Government accepted all of the 54 recommendations it made, and experts welcomed the balanced approach it took to intellectual property law in the digital age, since it matched greater flexibility with tougher measures on enforcement (although at the time, we flagged its failure to distinguish between large-scale commercial counterfeiting, and small-scale non-commercial acts carried out by individuals, now a live issue with current IPRED 2 negotiations). But one year on, things don't look quite so rosy.

I interviewed Andrew Gowers a few hours after the release of the Review. He said that enforcement and flexibility were "two sides of the same coin". The Review states:

"Copyright in the UK presently suffers from a marked lack of public legitimacy. It is perceived to be overly restrictive, with little guilt or sanction associated with infringement."

Gowers's suite of recommendations attempted to redress this situation by re-instating the balance in copyright law. So how has Government performed in implementing Gowers's recommendations?

In April this year, changes to the Copyright, Designs and Patents Act came into force that allowed Trading Standards to enter premises and seize goods and documents they believe to be involved in copyright infringement. These changes were backed by £5m in new funding for Trading Standards. There is little question that this contributed to the arrests of webmasters at TV-links and Oink later in the year.

In May, the UK Intellectual Property Office (UK IPO) quietly delayed its consultations on changes to the law that would allow a private copying exception, an exception for researchers, for libraries and educators, and for those creating works of parody or pastiche out of copyrighted works.

In November, at an event hosted by the Social Market Foundation, the recording industry revealed plans to cooperate with ISPs and launch a "3 steps and you're terminated" regime that would cut off the internet connections associated with people believed to be sharing copyrighted works unlawfully. This industry cooperation is recommendation 39 of the Gowers Review, and it looks to be on schedule.

A call to the UK IPO yesterday confirmed that consultations on the exceptions to copyright law have been further delayed, and will now not be seen until the New Year. These are consultations, the first baby step in implementation, and it's unlikely that any actual legal amendments will be seen until 2009 at the earliest.

What's more, when the Open Rights Group met with culture minister Margaret Hodge and senior officers from DCMS and the UK IPO in October, it was revealed that actions to implement recommendation 11, that copyright should be amended at the European level to create an exception for transformative works, had not even been timetabled.

If enforcement and flexibility are two sides of the same coin, then one year on it looks like the toss has definitely gone to enforcement. This means that Government is in effect making the situation worse: concentrating on strengthening enforcement measures while failing to address the inherent inflexibility of copyright law that Gowers identified as a key factor in the general public's disrespect for the law.

It's up to all of us who submitted evidence to Gowers in 2006 to keep the pressure up on Government to make good on their promise to reform copyright for the digital age.

[Read more] (5 comments)

December 04, 2007 | Michael Holloway

Christmas Party 2007

BBC Backstage is once again kindly sharing its gert big Christmas bash with Open Rights Group. And this one's shaping up to even bigger and better than last year. For those who didn't make it, here's some picture of 2006's full-to-bursting party.

So this time around, on Saturday 15 December, we're taking over a 4-floor pub in the City of London. Amongst other treats there will be music, cake, party bags, werewolf and - for one night only - we're delighted to announce the return of Copyfighters, featuring the magical Cory Doctorow. You should fully expect mayhem, drunken fandango and herds of Santas.

There are 100 tickets reserved for ORGites and due to expected demand you must register on eventwax (which only requires your name, email address and "org" as the promo code). Please use the 'Open Rights Group' ticket option so we don't snaffle the backstagers' allocation.

Where? Ye Olde Cock Tavern, 22 Fleet Street, London EC4Y 1AA When? 19.30 - 02:00, Saturday 15 December 2007 Tickets: via Eventwax - click here to register Any questions? Phone +44 (0)20 7096 1079 or email info at openrightsgroup dot org.

[Read more] (1 comments)

December 02, 2007 | Michael Holloway

"3 steps and you're terminated"

Last week's Social Market Foundation event - 'Intellectual Property Rights and Consumer Rights' - despite the title's implied concern for balance, showed disregard for consumers and promoted rights holders' interests. The minister responsible for UK-IPO spoke of the need for balance in reforming Britain intellectual property regulation but Government's actions do not yet evidence this commitment. The BPI's trail for a UK version of France's '3 strikes' approach to p2p infringement also gave cause for concern.

The Parliamentary Under-Secretary for the Department for Innovation, Universities and Skills', Lord Triesman, broad-ranging speech (link to PDF download) took in the usual policy concerns of technological developments, new business models, traffic in infringing content and consumer awareness of IPR. However, a year on from the Gowers Review recommendations for flexible copyright regulation, including a 'format-shifting' exception to legalise the near-universal practice of transferring CD recordings to mp3 players, seem no closer despite the rapid allocation of funding to 'anti-piracy' enforcement. Ian Brown, billed as the event's agent provocateur, slammed the speech for its anti-competition and anti-consumer stance. For a more balanced approach to these issues, Ian's slides are available for download.

In the panel discussion that followed, Richard Mollett flagged moves towards a voluntary agreement between the BPI and ISPs to reduce copyright-infringing traffic, similar to France's '3 strikes' model. He expects an initial warning from the ISP that infringing traffic is associated with a particular account will halt 75% of infringers. If suspicious activity continues then account suspension is the next step, before the final sanction of account termination. Even assuming there will be adequate appeal procedures, although no assurances were given, this mechanism will harm consumer interests unless systems for identifying protected content operate perfectly. Regardless, and fortunately this point was recognised by all parties to the discussion, cutting off internet access is very much the 'nuclear option'. The proportionality of this approach still requires broader public discussion given internet access may soon become a basic need, comparable to utilities like water and electricity.

[Read more] (5 comments)

November 30, 2007 | Michael Holloway

Supporters Update - November 2007

This month's update contains the usual roundup of our activities and press plus info on ORG's christmas party.

Supporters Update - November 2007

[Read more]

November 21, 2007 | Becky Hogge

HMRC fiasco: Government "not interested" in expert warnings

Professor Ross Anderson, UK computer security expert and Chair of the Foundation for Information Policy Research, appeared on Newsnight last night, to discuss the HMRC data loss fiasco. He labelled the fiasco "an accident waiting to happen", and calmly, methodically, indicted the Government for brushing aside the advice of security experts who have been warning them against the centralised, top-down approach they have been taking to electronic government.

I hope Professor Anderson will not object to my transcribing his words in full, and linking to the reports he mentioned and the government responses that have brushed aside expert concerns.

"But if we return to the matter in hand, I'm afraid that there is a policy issue here not an operational issue because the government has repeatedly, over the last few years brushed aside one lot of advice after another about the growing problems of privacy and safety with aggregating more and more data.

We wrote a report for the Information Commissioner in November last year pointing out that the proposed children's databases were both unsafe and illegal. That was brushed aside.

Lord Broers' House of Lords Science and Technology Committee reported earlier this year saying that the government needed to get its act together on personal internet security. A large part of that was Treasury responsibility, better regulation of online banking. That was brushed aside.

The Health Committee reported in September saying that people needed a right to opt out of the large central databases of personal medical information that the NHS is collecting. That was brushed aside.

Again and again and again these warnings have been made in different contexts by expert groups and the Government has not been interested."

[Read more] (4 comments)

November 20, 2007 | Becky Hogge

HMRC loses confidential details of 15 25 million benefit recipients

The confidential details of 15 25 million child benefit claimants are reported to have been lost by HM Revenue and Customs. The BBC is reporting that HMRC's chairman, Paul Gray, has resigned.

BBC political editor Nick Robinson said he understood ministers had been aware of the problem for nine to 10 days.

Here in the ORG offices we are watching the Chancellor, Alistair Darling, make a statement on the matter to the House of Commons.

Update: The Chancellor has now made his statement to the House of Commons. It appears that the BBC under-reported the amount of people affected by this loss. Darling announced that a "password-protected" CD sent by unrecorded delivery contained details of 25 million individuals. That's just under half the population of the UK.

Details contained on the CD include:

  • Name;
  • Children's names;
  • Address;
  • Date of Birth;
  • National Insurance Number;
  • and, where relevant, bank details.

Darling used his statement to reassure citizens that banks had been informed and were taking measures to protect their accounts. The accounts of those whose details were lost had been flagged, said Darling, and were being monitored for irregular activity. He assured UK citizens that any innocent victim of fraud would be protected under the banking code.

According to Darling, the Information Commissioner will be investigating the data protection breaches that were presumably key in leading to this blunder.

[Read more] (11 comments)