14 November, 2015

Annual Report 2015

(1) Campaign work

Surveillance

ORG’s most important role has been to facilitate the creation of the Don’t Spy on Us coalition of NGOs to campaign against UK mass surveillance.

ORG produced a substantial report, Collect It All, which catalogued and analysed the extent of mass surveillance in relation to the UK, as revealed through Edward Snowden’s leaked documents. This report has provided the basis for our policy interventions, so we are able to take an informed position that considers the reality of surveillance and not just government statements. We engaged with experts including investigative journalist Duncan Campbell and Caspar Bowden as well as other NGOs to ensure the report is as accurate and wide ranging as possible. We shared it with policy makers, including members of the Joint Committee that scrutinised the UK’s new surveillance law, the Investigatory Powers Bill (IP Bill), which was published in draft on 4 November 2015.

The report explored some very difficult areas, including:
• how the different NSA and GCHQ surveillance programmes relate to each other
• the underlying technologies and how they leverage the position the agencies can command on the Internet backbone, for instance to enable hacking
• the connections between cyber offence and mass surveillance
• US–UK collaboration on technologies and data sharing, and the UK’s relationship with the other Five Eyes countries
• the impact on wider policies, including UK human rights promotion and Internet governance
• the relationship between oversight and surveillance practices, such as the authorisation processes for UK or US nationals.

We have also networked with communities affected by surveillance. Our policy director Javier Ruiz attended meetings of the Campaign Opposing Police Surveillance, a platform of individuals and groups affected by police undercovers ranging from trade unions, anti-racist groups to environmental activists. We met with Muslim groups and others.

Our submissions to the parliamentary committees scrutinising the Investigatory Powers Bill were widely quoted in the committees’ reports, with most of our major concerns – for example around Internet Connection Records – taken into account.

Data protection and e-Privacy

The General Data Protection Regulation (GDPR) is, in our view, an improvement on the current UK position. While for other countries it is not a major shift, for the UK it could create a much better environment for enforcement of data protection.

During the year, Policy Director Javier Ruiz has worked with experts to understand the implications of the changes negotiated through the EU ‘trialogue’ process. The regulation has an unprecedented level of discretion for member states to legislate exceptions so we have started discussions with UK privacy groups to campaign to ensure loopholes are not created and we take up the opportunities provided in the new law. Our main focus will be the implementation of mechanisms to allow public interest organisations and consumer groups to take up cases without instruction from specific affected individuals. This would be significantly change the nature of privacy enforcement in the UK for the better.

We engaged extensively in Open Policy Making process on data sharing run by the Cabinet Office, helping introduce safeguards and narrowing down the scope of government proposals. The proposals were introduced into Parliament in 2016 within the Digital Economy Bill, unfortunately with last minute expansion of the proposals.

We have also been tracking changes to E-Privacy. Jim Killock met with Commission officials courtesy of EDRi to explain the problems with UK lack of enforcement of E-Privacy which has led to very lax forms of consent for use of location and web traffic information on mobile platforms.

Javier Ruiz has continued his work on open data and privacy, running a workshop at the Open Data Conference in Ottawa and forming part of various expert groups. He recently contributed to an event organised by the Stiftung Neue Verantwortung in Berlin.

ORG has also intervened in the Scottish Government and National Records of Scotland (NRS) proposals to change the Local Electoral Administration and Registration Services. We were concerned those proposals would consolidate a national identity system for Scotland, with far reaching implications. We managed to delay implementation with discussions still in place.

Copyright

Early in 2015 we ran a series of small but very high quality seminars on copyright policy that brought together a wide range of experts including some from industry. These have built a policy foundation that we are using on all our copyright related work.

We have engaged extensively on the reform process at the EU level, including several visits to Brussels to brief members of the European Parliament and the Commission. Most of this work was co-ordinated through the Copyright for Creativity coalition, where we contribute and guide policy on an ongoing basis.

In the UK, we ran a campaign to highlight the problems with extending the sentences available for online enforcement of criminal copyright, in response to an official consultation.

We argued that the UK’s definition of ‘criminal copyright infringement’ is wide enough to catch people who are unintentionally creating ‘prejudicial’ damage to copyright holders, and that ‘prejudicial effect’ is in any case much vaguer than the international standard of ‘commercial scale’. We also pointed out that estimating damages from online infringement is notoriously hard. The problems are exacerbated by the involvement of private agencies who are partial in their views. There is a real danger of intimidation, misrepresentation and heavy handed responses. While the victims of such enforcement are often going to be in the wrong, there is still a question of proportionality in the punishments that they receive.

Our campaign generated over 1,000 public submissions, with the result that the IPO initially withdrew the proposal, in order to consider their options.

Copyright enforcement is one of the areas under reform at the EU level. We have engaged with the Commission officials directly and have started preparing an extensive report on website blocking in the UK and the EU – through a survey of EDRI member organisations – with the help of a volunteer lawyer from Germany who stayed with us for several weeks. We have also started the process for mobilising supporters to get responses to the official consultation.

We also ran a campaign to support proposals to allow EU users of digital subscription services to access them while abroad (so called ‘portability’). We encouraged around 460 people to respond, demonstrating that we are very willing to back positive copyright reform.

We have also been corresponding with the City of London Police’s Intellectual Property Unit (PIPCU) to understand their ‘follow the money’ approach to copyright enforcement. We are concerned with some of their tactics which appear to lack accountability and transparency. For instance, they issue website domain suspension requests to international domain registrars, without specific legal authority.

451 Unavailable

We have worked on the adoption of the 451 Unavailable error code, to help further detection of legally- mandated website blocking. 451 Unavailable is a legal, technical and advocacy project. The technical dimension is the error code itself, which can be used, if adopted, to identify censorship by machine-means. The legal dimension is the promotion of the code through legal interventions, and the transparency measures needed for blocking orders, such as who to ask in case of complaint. The advocacy includes explaining the reasons for the code, and pushing for companies to use it voluntarily.

Through the work of our partner Article 19, this error code is now adopted as draft by the IETC. Through our advocacy and campaign website, Automattic, the owners of WordPress.com, have become the first major company to adopt the error code on their commercial platform — a major victory, as they represent a large number of websites in use.

Blocked.org.uk

Through the year we have worked to develop our blocked.org.uk project, to deliver two key objectives:
• to provide evidence of harms from overblocking and under-blocking of inappropriate websites; and
• to facilitate a community of users of the software in other countries to help provide sustainability and wider impacts.

The Blocked too has tested over 3 million sites, and listed 180,000 blocked sites to date. Our tech volunteers imported a large chunk of the DMOZ URL library for site categorization so that blocked.org.uk now records more information about the type of blocking in place for a URL.

We worked with free speech NGO, Article 19 to enable them to launch censorship monitoring in three countries.

We also integrated the Ooni probe software with our system, to provide more technical analysis of interference with websites, and made result set showing network interference available to the Tor project; and contributed code and performance enhancements to Ooni-probe.

We produced a ‘bulk upload’ feature to allow bigger URL datasets to be added and analysed by non-technical staff. We publish all of our data and code in the open and have helped to create a community around the software development. We have also worked with UK academic partners who wish to use the data in their own research projects.

We have worked with individual website owners, helping them to have their sites unblocked and creating case studies that show the negative consequences of filters.

(2) Legal work

ECtHR challenge

ORG raised £30,000 alongside Big Brother Watch and Chaos Computer Club member Constanze Kurz to take the UK to Court for their involvement in the PRISM and TEMPORA programmes, among others. This challenge was lodged in 2013 and fast tracked in January 2014, but was delayed due to additional legal actions by other organisations in the Investigatory Powers Bill. All the cases are now likely to be heard this year. The government has a deadline of 21 March 2016 to respond.

Although the case will primarily focus on the ‘quality of law’ arguments – how foreseeable surveillance measures may be – we also expect the Court to comment on the proportionality of mass surveillance.

Judicial Review of DRIPA

ORG intervened with Privacy International in the Davis and Watson challenge to the UK’s Data Retention and Investigatory Powers Act (DRIPA). We argued that DRIPA was subject to the CJEU’s initial judgment as a matter of EU law, as the Data Protection and e-Privacy Directive keep retention of data within scope, and law enforcement is only permitted to retain data through derogations in these directives.

These arguments were successful, although in oral hearing, Davis and Watson focused on the authorisation regime. During the grant period, the government appealed the initial decision made against it. We continued to intervene, arguing that it was clear that the Judgment applied. The Court of Appeal however has asked two questions to the CJEU asking for clarification about whether and how the original DRI Judgment would apply to UK data retention. The UK’s reference is being heard alongside a Swedish reference in April. We expect answers in summer 2016.

Davis and Watson’s submissions have concentrated on the authorisation regime rather than blanket retention. We are extremely glad that we have been able to make the argument in support of the CJEU’s stipulations requiring retention to relate to specific purposes.

The CJEU’s procedures can be very restrictive for civil society interveners, as the rules assume that each government may make submissions, but do not invite parties that were not involved in the original cases. The Swedish reference contained no civil society interveners, and the Davis & Watson challenge has only ORG and PI to represent privacy concerns.

Microsoft Ireland

Thanks to Digital Rights Ireland were able to sign their amicus brief in the US vs Microsoft case, where Microsoft are arguing against the US courts demanding data that is held by an overseas subsidiary. We argued that such transfers should go through MLAT procedures. This is a light commitment but shows the value both in ORG having the expertise and in co-operation between groups interested in legal work.

Cartier

Following an intervention in this case, which proposed to allow trade mark owners the right to an injunction against infringing websites, ORG waited for an appeal, to argue for the need for specific legislation. The appeal was not heard within this financial year.

By order of the Board

Harry Metcalfe, Director

Accountants’ Report to the Directors of Open Rights

You consider that the company is exempt from audit for the year ended 31 October 2015. You have acknowledged, on the balance sheet, your responsibilities for complying with the requirements of the Companies Act 2006 with respect to accounting records and the preparation of the accounts. These responsibilities include preparing accounts that give a true and fair view of the state of affairs of the company at the end of the financial year and its profit or loss for the financial year.

In accordance with your instructions, we have prepared the accounts which comprise the Profit and Loss Account, the Balance Sheet and the related notes from the accounting records of the company and on the basis of information and explanations you have given to us.

The accounting records and explanations provided appear to be reasonable, however we have not carried out an audit or any other review, and consequently we do not express any opinion on these accounts.

Urban Ledgers Limited

14 Thornhill Square

London

Notes to the Accounts for the year ended 31 October 20151 Accounting Policies Basis of preparation of financial statements The accounts have been prepared under the historical cost convention and in accordance with the Financial Reporting Standard for Smaller Entities (effective April 2008).

2 Surplus income and the Accumulated Fund As a not for profit company, all income is dedicated to its object of raising general awareness of digital rights matters and is credited to an accumulated fund to be used for future projects. As a company limited by guarantee and without share capital, income cannot be distributed to shareholders.

3 Corporation Tax It is our understanding that corporation tax is not payable by Open Rights as it is a not for profit company.

4 Supporter Donations Regular supporter donations are treated on a cash basis, i.e. are treated as pertaining to the month in which they are received.

5 Staff Loans Staff loans are extended typically for the purchase of season tickets, and are repaid by equal deductions from the employees’ salaries.