Digital Rights and Ukraine

The war in Ukraine is having profound impacts on the digital rights of people in Ukraine, Russia and the UK. While the day to day devastation and displacement of people will be uppermost in all of our minds, changes in surveillance, censorship and monitoring of people across all of these countries is having profound and dangerous impacts. Open Rights Group will want to play our role protecting rights in the UK and beyond, as a matter of solidarity and ensuring that human rights are treated as universal values.

As an organisation, we are working on both Internet issues, and migration issues, as part of our strategy to protect the digital rights of vulnerable communities. The impact of the Ukrainian crisis can be felt in both these areas of our work. Many concerns we have had about privacy and free expression have been thrown into sharp relief.

The impact of privacy and Internet censorship on Ukrainian and Russians

Ukrainians and Russian citizens are now profoundly reliant on the free flow of information that the Internet can provide. Ukrainians need to communicate with each other, and the rest of the world, so that they are heard. We can be thankful that they are much more able to do this than in the pre-Internet era.

Censorship in Russia targeting the Internet, VPNs and Tor cannot be as successful as press and broadcast clampdowns. Nevertheless, the privacy of readers is paramount, if they are to find information while limiting the risks of access. Twitter’s release of a Tor service, alongside services from Facebook and BBC among others, are good examples of practical steps that can be taken.

Similarly, Instagram’s release of E2EE messaging services is to be welcomed. Any tool that encourages privacy and security of ordinary citizens in this crisis has to be a good thing. Likewise, encrypted services for public information from WhatsApp are a good service to offer.

However, we are very concerned about shutdowns of product updates by phone companies and software providers. These will lower the security of Russian citizens, and make them more vulnerable to government surveillance.

Data rights of migrants coming to the UK from Ukraine

Misinformation and disinformation have been hallmarks of the current conflict, and despite efforts to counter the battle of “alternative facts” from Ukraine’s tech community, these have unfortunately rebounded onto those trying to leave Ukraine and the examples are stacking up.

For instance, the Polish government has had to issue text messages warning migrants against crossing into Germany or Belarus. Meanwhile, fake racist telegram groups have urged Africans to wear armbands that will confuse them for combatants as accusations of racism by border authorities go viral. A likely nation-state sponsored phishing campaign has also been identified that may have used a “possibly compromised Ukrainian armed service member’s email account to target European government personnel involved in managing the logistics of refugees fleeing Ukraine.”

And that’s where the problems start.

Precedent has already shown that Europe responds to refugee flows by fortifying its borders in increasingly technically advanced ways. Aerial surveillance dronesbiometric data collectionfacial recognition and mobile phone confiscations are just some of the intrusive techniques border forces have been instructed to follow and have used. 

Anyone coming into the UK can then expect the Home Office to process their data, hold it on a super databaseand pass it between government departments dealing with welfare, housing, education, healthcare and a number of other services refugees must access daily.

A fresh crisis like Ukraine gives the UK ample opportunity to push its digitisation agenda and while some are seeking to ease restrictions so Ukrainians can find urgent sanctuary, Britain has been steadfast in retaining biometric checks, citing security as the basis for its inflexibility. 

What we know about that agenda hasn’t come through transparent messaging, however. The Home Office’s secret visa streaming algorithm was only stumbled on, a worrying discovery that seemed to “entrench racism and bias into the visa system.” That’s why ORG is concerned. The context in which this war is playing out is already marred by racial discrimination and those seeking to come into the UK, do so at a time when the government is hardening its asylum laws through a two-tier system in the Nationality and Borders Bill. It also comes when the government is seeking to weaken data protection and control over personal data when the proliferation of that data in the system has never been greater.

It follows that this conflict needs vigilance, so that attempts to further surveil the most marginalised groups, such as refugees who come to the UK at their most vulnerable, are pulled up, and held to account.

The impact on UK citizens

The Online Safety Bill’s provisions to specify technologies for sweeping up content, providing user identity, verifying age, or in effect banning or limiting encryption stand in contrast with the practicalities of providing access to Internet services via Tor or using E2EE to make Ukrainian and Russian users safer. There is a fundamental disconnect between the demands of the UK to minotor, censor and surveil, while hoping these technologies will not be used against people in profound danger. It is not easy to see how Twitter or Facebook could provide their services over Tor, or deploy E2EE, if some of the provisions of the Online Safety Bill become a reality. We must hope that this becomes more apparent to law makers.

UK and EU residents are also impacted by some very ad hoc decisions to block access to websites, including RT and Sputnik. While nobody wants to defend these services, given the lies they promote, care and attention need to be employed. It is not possible to simply ban the content of a service in all circumstances: there are important reasons why someone may wish to repost, or criticise, or reveal, what such services are saying, not least to refute them.

Similarly, unilateral decisions by Nominet to block all domain registrations from Russian domain companies is problematic, not least as it could hurt dissidenting voices, and very different to the approaches taken by other Internet infrastructure organisations, who have prioritised continuity and access to services.

Russian-UK advertising and data transfers

It’s been almost four years since we took steps to ensure enforcement against adtech systems, and the unfettered broadcasting of personal information of Internet users to thousands of shady and unaccountable intermediaries. Also known as Real-Time-Bidding or data-free-for-all, surveillance advertising means that everytime you visit a webpage, make a purchase, or watch a video, this information is shared with anyone who wants it.

These systems are bad by default, and while advertisers usually claim to “personalise” user experience, this most likely ends up in banal discrimination based on gender, ethnicity, addictions, or other sensitive addictions. Things turn worse, however, if you think that a relevant number of adtech intermediaries spying and taking note of the daily activities of UK internet users and beyond are based in Russia, and have a legal duty to share this information with the Russian intelligence services if they’re asked to.

As most of these practices are underhanded, it is difficult to know or even estimate how this information is being leveraged, and what risks we may be exposed to. What’s undeniable, however, is that the United States are raising concerns about adtech data sharing as a threat to national security, exactly for its potential to deliver personal and sensitive information to foreign intelligence agencies. We also know from Cambridge Analytica that online profiling enables nefarious uses such as microtargeted, covert propaganda and pollution of the democratic debate.

Who benefits from this status quo then? And why do the UK Government insist on promoting an immoral and indecent business practice — for instance by proposing to undermine data protection against cookie-based online tracking, or for personal information that are transferred to third countries like Russia? Be as it may, it shouldn’t have taken us a humanitarian tragedy to realise the unsustainable nature of the engine that powers the toxic Internet.