Annual Report 2019

Open Rights

Report and Accounts
31 October 2019

About ORG

Open Rights Group (ORG) is a UK based digital campaigning organisation working to protect fundamental rights to privacy and free speech online. With over 3,000 active supporters, we are a grassroots organisation with local groups across the UK.

Our work on data protection and privacy includes challenging the immigration exemption to UK data protection law, defending the General Data Protection Regulation (GDPR) from attempts to water down its provisions, and challenging uncontrolled and unlawful data sharing by online advertisers.

openrightsgroup.org

Company Information 31 October 2019

Directors

James Cronin
Simon Phipps
Alec Muffett (resigned 20 January 2020)
Owen Blacker
John Elliott
Christian Scarborough
Brian Parkinson
Thomas De Grunwald
Adela Devlin
Azmina Dhrodia
Hannah Little
Secretary: James Cronin

Accountants

Urban Ledgers Limited
4 Thornhill Square London N1 1BQ

Bankers

Cooperative Bank plc PO Box 101
1 Balloon Street Manchester

Company number 5581537

Directors’ Report

Our Objectives, Mission, and Activities
Introduction
Cross-Cutting Issues
Brexit and Trade Agreements
VIRTEU Project
Privacy
Adtech
Age Verification
Data Protection
Data and Democracy
Free Expression
Online Harms
EU Copyright Laws
Other free expression work
Online Surveillance
ORG Scotland
Community and Activism
ORGCon
Local Groups
Financial statements
Accountants’ Report
Income and Expenditure Account
Balance Sheet
Notes to Financial Statements
Report of the Board of Directors

The Directors of the company present their annual report for the year
ending 31 October 2019.

The Directors would like to thank our members, supporters, donors and grantors who made our important work possible. The Directors would also like to thank our staff, volunteers, members of our local groups and Advisory Council for their hard work, support, tremendous knowledge and world-class expertise.

Our Objectives, Mission, and Activities

Open Rights Group is a UK-based campaigning organisation working to protect the rights to privacy and free speech online. With over 3,000 active supporters, Open Rights Group is a grassroots organisation with local groups across the UK.

We challenge:

• Threats to privacy by both the government through the surveillance of our personal communications, and by private companies, which use our personal data in opaque and secretive ways.
• Threats to free speech through the criminalisation of online speech, online censorship and restrictive copyright laws.
• We work to protect and extend human rights and civil liberties which history tells us are often overlooked or eroded during periods of rapid change.

Our activities include public education and awareness raising, constructive engagement in policy making using our expert research, campaigning and, where necessary, legal interventions.

Our values:

• We believe in human rights;
• Our work is based on evidence;
• We are accountable to our supporters, and operate with integrity;
• We believe in the importance of empowered people defending digital rights; and
• Our work must be accessible and inclusive.

2018–19 was a busy year in which the Open Rights Group broke new ground and made a significant impact on digital rights.This is a challenging period for our work. Digital technology is ubiquitous; the collection and use of data grows exponentially; and the potential is evermore powerful, for purposes both helpful and dangerous.On top of that, the changes to the legal framework accompanying the UK’s departure from the European Union are likely to be significant.

Despite claims that we will regain sovereignty, there is every likelihood that the UK will sign up to agreements that restrict fundamental rights as a result of its unequal bargaining power with the US.Following our three-year strategy, in 2018–2019 we focused on privacy, free expression, and surveillance online. Our strategy also recognises that other sectors need support developing an understanding of digital rights. We therefore began to provide a ‘support strand’, initially focusing on immigration.We seek change through policy advocacy, campaigns, technical tools, and when all else fails, legal action. This year saw us use all of these means effectively, to achieve our goals.

We developed our community activism with renewed support for local groups and sought to broaden the range of groups we reach, particularly through a more diverse ORGCon, securing participation and attendance from more women and people from ethnic minorities than ever before.We also developed our administration, project management, and financial systems significantly during the year, providing a solid basis for progress in 2019–20. For the first time, our Advisory Council elected three new Board members, so that our Board is now majority-elected by our community.

This year our top achievements included:

• Establishing ORG as an authority on digital trade
• Establishing ORG as an authority on adtech and co-ordinating a pan-European challenge
• Raising awareness on the use of data in politics and established ORG as an authority in this area during the general election campaign
• Successfully delivering our strategy of providing technical, policy, legal and campaigning support to other sectors such as work with the3million on the immigration exemption
• Mapping the scale of overblocking and censorship by online ISP content filters
• Documenting massive informal state takedown powers exercised by UK police and law enforcement through Nominet domain suspensions and terrorism content removal requests
• Bringing together a coalition protecting online free expression against state regulation of legal content
• Fighting the lack of privacy protections in Age Verification plans and bringing these to a halt
• Our biggest ever ORGCon with Edward Snowden keynote
• Growing ORG’s influence and impact in Scotland

James Cronin

Chair of the Board of Directors

Cross-Cutting Issues

Brexit and trade agreements

Agreements between the UK and the US will have increased impact on digital rights in the UK after the UK completes its departure from the EU. The likely future strategic alignment of the UK with the US created a need for ORG to engage more closely with US groups. ORG has a good relationship with the Electronic Frontier Foundation (EFF) and is part of the Transatlantic Consumer Dialogue (TACD). This year we continued to develop these relationships and sent our policy staff to the US to expand and build on our contacts there. ORG submitted responses to the UK government’s series of consultations on new free trade agreements with Australia1 and New Zealand,2 and possible membership of the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP).3 In late 2018 we responded to the government’s consultation on a free trade agreement with the US4 with a supporter response campaign which generated over 400 submissions through our tool, that called for maintaining high standards of data protection.5 The government’s analysis of the consultation, released in July 2019, reported that: “Respondents identified Digital Trade as a key priority for a UK–US FTA, where many respondents were supportive of maintaining a high level of data protection and privacy standards in the UK.”6

In May 2019, to coincide with the European Parliamentary elections, ORG released a series of significant policy analyses that fuelled a broader public campaign to raise awareness on the effect of Brexit on digital rights. Local groups in London, Glasgow, Cambridge, and Norwich all held events on “How Will Brexit Affect UK Life Online?” during 2019. In October 2019 our Legal and Policy Officer travelled to Strasbourg for meetings with MEPs Magid Magid, Patrick Breyer, Julie Ward, Antony Hook, and Alexandra Geese to discuss the issues raised in our Brexit briefings and stress the need for the European Union to maintain high digital rights standards in any future deal with the UK. Geese’s office is still keen to work on shared issues such as children’s privacy and the changes needed to adtech, and discussions are ongoing via European partners on how best to facilitate this. We held a series of other meetings and dialogues concerning future UK and US agreements in order to ensure we have an understanding of the discussions, stakeholders, approaches, and negotiations taking place in the UK and the US. Some of our main activities in this area were:

• Attending briefings organised by the Department of Trade on intellectual
• property in preparation for trade negotiations and consult on their general approach.7 We highlighted the need to quantify the value of the public domain in their economic analysis and emphasised the need to engage with development groups on the impact of trade agreements on knowledge transfer with the developing world.
• Meeting in the US with Microsoft, Facebook, Twitter, Google, OATH (Yahoo), and various civil rights organisations regarding international agreements between the US and the UK that give law enforcement agencies direct capabilities for interceptions of communications.

ORG has worked to develop its capacity on the emerging issue of digital trade and carve out a leadership role in this area. We are the only civil society member of the Intellectual Property Trade Advisory Group, a multi-stakeholder group advising the UK Government on the emerging issues of intellectual property and trade. Throughout the project our Policy Director produced a series of blogs8 and guides that laid the groundwork for what is likely to be a significant policy space in the years to come.We have also established new relationships with the think-tank New Economics Foundation on trade issues, with consumer organisations such as US-based Public Citizen, and coalitions such as the Trade Justice Movement.

Futurebook campaign

In July 2019 ORG launched the parody social media site Futurebook9 to show users what the web could look like if digital rights such as net neutrality, intermediary liability, and data protection are removed or undermined as a result of Brexit.10 The page is designed to resemble an old version of Facebook with the addition of deliberately creepy and invasive advertising and detailed explanations of the imaginary personal data that went into creating them. The page incorporated redacted comments and posts that were restricted from view for intentionally spurious reasons, including a comment function that blocks comment, also for spurious or opaque reasons.

These then take visitors to a splash banner revealing the site as an ORG parody and encouraging them to sign up and pledge to protect a future of digital rights.11 The campaign received 9,073 unique page views.

VIRTEU project

ORG participated in a three-year project to understand the ethical considerations that face Internet of Things (IoT) developers and create tools to help them make better decisions. The project ended in December 2019, so this report covers all but the last two months of the final year. ORG’s contribution was based on several years of research work in which we analysed the legal framework, including potential impacts of Brexit, and engaged directly with IoT developers to form a closer view of their decision-making processes via role-playing workshops which took developers through the issues facing companies. ORG’s main deliverable was an open source online interactive tool to help developers conduct privacy, social, and ethical impact assessments of IoT projects.

The results of this work have been released as open publications and code.12 There is more detail at the VIRTEU website.13

Privacy

AdTech

On 12 September 2018 Executive Director Jim Killock and Dr Michael Veale (UCL) complained to the Information Commissioner’s Office (ICO), the UK’s data protection regulator, that the online advertising industry systematically breaches data subject rights by sharing personal data without safeguards or control, voiding any notion of consent.

We highlighted the role of the Internet Advertising Bureau (IAB) in co-ordinating what we believe are serious breaches of data protection law. The ICO responded with an investigation and held meetings to examine adtech industry practice.

In June 2019, the ICO published its update report.14 It found a range of issues with real-time bidding (RTB) in particular, and concluded that special category data lacked explicit consent and was therefore being processed illegally.

The ICO said it would continue to gather more information and potentially conduct a further industry review after six months; its reluctance to immediately enforce any GDPR violation finding against adtech is likely due to their belief that there may be potentially negative impact on the publishing industry.

Nevertheless, a growing body of evidence shows alternatives do exist, which is an increasing part of our advocacy. Through its legal representative, Ravi Naik at ITN Solicitors, ORG has written to the ICO reminding it of its investigatory and enforcement powers and pressing for action. GDPR complaints about RTB had also been submitted to data protection authorities in Ireland (Brave and Johnny Ryan) and Poland (Panoptykon).

As a result of ORG’s outreach and networking, organisations and individuals filed 15 further complaints in 12 EU member states.15 These used Ryan’s complaint, which Naik prepared, as their template. We collaborated by sharing relevant material, translating complaint documents, and, with Brave’s assistance, securing good media coverage, putting public pressure on Google and the IAB.16

There is growing recognition of the interconnection of data protection and competition law. The European Data Protection Supervisor has advocated that competition law enforcers should consider the data protection rights of consumers and intervene to control market power in the digital economy.17 The European Commission, for example in a January 2016 speech by Margrethe Vestager,18, and national competition authorities19 have also begun considering whether competition law should incorporate data protection and privacy concerns, particularly regarding big data.

These debates are relevant to adtech work. In ORG’s submitted comments on scope to the UK Competition and Markets Authority (CMA) market study of online platforms and the digital advertising market,20 we encouraged the CMA to (a) look beyond online platforms to the wider adtech ecosystem; (b) include not only practical applications of advertising but also how industry standards are set; and (c) consider the issue of cookie tracking and forced consent. Brave separately submitted comments focusing on how data protection law could prevent monopoly leveraging in digital markets. If the CMA decides to take action in due course, the result could be far-reaching and impacting our litigation strategy.ORG hosted a series of local events in London, Glasgow, Oxford, and Norwich to educate the public about RTB and lay the groundwork for future campaigning. In October Campaigns Manager Mike Morel spoke on adtech to the large audience at Oggcamp in Manchester.

Age verification

The Digital Economy Act 2017

21 introduced a duty for websites hosting pornographic content to actively verify that users are over 18. Non-compliant websites may be blocked by order of the regulator. Unlike copyright blocks, injunctions are not required.

The Act does not contain provisions to secure the privacy and anonymity of users of pornographic sites being age-verified. ORG campaigned for privacy protections to be included in the Act, and not merely in non-binding guidance issued by a private body that has been assigned the role of age verification regulator. ORG believes that the government should ensure that age verification systems, by default, must not be able to identify a user to the pornographic site. The user information that age verification tools are allowed to store should be strictly limited.

In November 2018, ORG put significant effort into raising privacy and free expression concerns surrounding age verification, including printing and delivering 344 supporter letters to DCMS. ORG spent much of 2018–2019 awaiting a formal response from the designated regulator, the British Board of Film Classification (BBFC), which conducted an April consultation22 on the age verification proposals. BBFC eventually made significant changes to its age verification scheme, in particular introducing a voluntary privacy protection ‘certification scheme’.

Probably the delays related to the difficulties of creating this voluntary scheme, which did not appear in the Act. The Lords queried the Government’s ability to allow this, given the omission.

Unfortunately, BBFC did not consult on the contents of the privacy scheme, and was unable to make it compulsory. Our June 2019 analysis found the scheme good in some aspects, such as scope and mitigations against insider threats, but lacking in others, such as technical information security, where nothing specific was required. Even so, the age verification industry complained that the requirements were too onerous. We contrasted the scheme with other industry security standards which are highly specific, require audit, and are enforceable.23

We continued to highlight privacy concerns to the media, Parliamentarians, and government, explaining that the BBFC’s code needed to be beefed up and made compulsory. We approached industry to ask them to do the same, and held a roundtable near BBFC’s offices to discuss what should happen, as BBFC itself refused meetings during this period.

In summer 2019 we launched AgeVerificationFacts.org.uk,24 a microsite dedicated to informing the public about the privacy risks of AV. The site was designed to address three separate audiences — under 18s, over 18s, and website owners.On 16 October 2019 the government announced it was dropping age verification, and rolling any future thinking into the Online Harms bill.25 ORG’s work on this was directly relevant to this outcome as very few other organisations were even engaged on this topic, it is a significant outcome for ORG’s steadfast advocacy.

Data Protection

Age Appropriate Design: Code of Practice for Online Services

The 2018 Data Protection Act mandated the ICO to create a code to enhance children’s privacy, and unexpectedly included age verification as a recommended measure. In 2019, ORG responded to the ICO’s public consultation on the Age Appropriate Design: Code of Practice for Online Services. In May 2019, ORG’s public campaign generated 288 supporter submissions to the consultation. These stressed that the Code could increase data collection and profiling and lead to adults and children being constantly age-checked for everyday services.

One result of the Parliamentary debate of the 2018 Data Protection Act was to add a statutory review of the omission of Article 80.2 of the GDPR, which allows groups like ORG to bring actions in the public interest. In September 2019, ORG helped Baroness Beeban Kidron’s office draft the Data Protection (Independent Complaint) Bill26 to implement Article 80.2 into UK law. We await a formal starting point for the statutory review but in the meantime continue to work with allies like Baroness Kidron’s 5Rights Foundation to advocate for 80.2.

Immigration Exemption from Bill to litigation

The Data Protection Bill also contained a very wide exemption for processing data for immigration purposes, removing the data controller’s responsibility to provide information to an individual, before, during, or after collection, or to abide by the seven data protection principles if doing so would prejudice “effective immigration control”. The exemption also removed subject access rights.

When the Act came into force in May 2018, the3million and ORG instructed Leigh Day solicitors and prepared to challenge the immigration exemption. The Brexit Select Committee discussed the challenge and heard evidence from the3million.27 The two organisations successfully crowdfunded £42,30028 to protect against losses and won support from Shadow Digital Minister Liam Byrne.29

In August 2018 ORG and the3million requested a judicial review of the immigration exemption, which was heard in the High Court in July 2019. During the case the Home Office revealed that the immigration exemption had been used in 60% of immigration-related data requests since the beginning of 2019 and that individuals were not informed when the exemption was applied.30 The Home Office admitted in pre-litigation correspondence that it was changing practice.

In October 2019 the court found in favour of the UK Government that the immigration exemption was lawful.31 ORG and the3million were granted an appeal in November 2019.32 A date is yet to be decided.

Data and Democracy

Electronic voting and counting

In 2018, ORG learnt that plans for electronic voting were advancing in Scotland and Wales. After meetings with ORG in 2018 and 2019, the Welsh and Scottish Governments decided to cancel the statutory e-voting trials. This was a significant win for ORG.

As this is an ongoing issue, ORG facilitated a robust, expert-led debate on e-voting at ORGcon 2019 and participated in two Institute of Engineering and Technology roundtables on the topic.33

ORG also met with representatives of London Elects and the Greater London Assembly (GLA) and prepared questions for two members of the GLA Oversight Committee to ask in scrutinising the procurement process for e-counting machines. ORG’s work on e-counting has been highlighted in specialist publications such as The Register.34

Digital spending, personal data use, and data-driven political campaigningORG began a long-term Data and Democracy research project to understand what data political parties hold on citizens via subject access requests (SARs). We drafted a pilot SAR template, and asked members of staff to test it by filing requests with political parties before launching it more broadly. So far, 10 members of the public have sent SARs to political parties with the intention of returning their results to ORG. ORG commissioned YouGov to poll 28 marginal constituencies on their opinions on data-driven campaigning practices,35

In support of the project, ORG has produced several written documents, including responses to two consultations, one from the House of Lords’ Democracy and Digital Technologies Committee,36 and the other from the ICO on its draft framework code of practice for the use of personal data in political campaigning.37 ORG drafted principles for the ethical use of personal data by political campaigners. ORG has carried out significant public engagement in relation to this project, including a main stage panel at ORGcon 201938 which featured a diverse group of experts discussing the use of data in politics. ORG has also enjoyed significant engagement success with political stakeholders. Being asked to give testimony to the All-Party Parliamentary Group on Electoral Campaigning Transparency boosted our credibility.39

We followed up with two meetings with DCMS Select Committee Clerks, who now receive our analysis directly. Having increased our standing amongst parliamentary stakeholders we have begun taking more of a multi-stakeholder approach. For example, we organised a roundtable on the ICO’s draft code of practice which was attended by representatives from regulators, academia, civil society. and government.40

ORG has steadily developed its media profile in this policy area throughout this project through a combination of press releases, strategic partnerships, and ‘earned media’ that have made us a trusted and authoritative media presence. Notably, through partnership with Sky News’ technology correspondent,41 ORG has appeared three times on Sky News discussing the early results of the SARs project.42 A story about the LibDems’ use of personal data43 generated over 13,000 views on YouTube.
Free expression

Online Harms

Internet Regulation and the Digital Charter

The UK government announced plans to regulate social media companies’ treatment of content in its White Paper on Internet Safety in 201744 and launched a Digital Charter in early 2018.45 In our response to the white paper in May 2018, we noted that the paper’s approach conflated many kinds of harms, failed to provide evidence of the scale of the alleged problems, and showed a desire to create incentives to remove legal material. It fails to address the complexity of dealing with unwanted behavioural issues that inevitably fall within the realm of free expression.

Parliament seeks to regulate the tech giants for a large range of social harms relating to behaviour on the Internet; however the regulation is ultimately aimed at the speech of the users on those platforms. While we recognise the undoubted problems, these are endemic social issues rather than pure creations of the tech companies. Furthermore, the risk model underlying the wide-ranging, state-regulated duty of care appears hard to implement in a way that respects lawful free expression.Because this is a highly complex area, ORG decided to take two steps to provide leadership and help build consensus.

First, we helped form a loose coalition of free expression organisations in the UK who wish to engage with Government as a way of ensuring access to civil servants and the policy process. Second, we reached out to some of the groups representing those most impacted by the issues the Government seeks to address. We also met with stakeholders including big tech representatives, and established informal coalitions with rights groups, industry, think-tanks, and academics.

The resulting open information exchange and policy discussion helped us understand different perspectives and engage in constructive debate on policy proposals. This effort culminated in a workshop with over 40 participants, and a report summarising the issues raised.46 We published two research reports, developed policy positions on the government’s Online Harms White Paper, submitted a detailed response to the public consultation47 and participated in government roundtable consultation meetings on the policy proposals. This increased understanding amongst policymakers of the complexity of issues and encouraged government to consider the problems more widely. Our simultaneous public campaign generated 244 supporter submissions to the DCMS public consultation arguing for a rights-based approach to social media regulation.

By the end of the year, the UK Government had not reached a firm conclusion about the way forward, and had recognised that our concerns are valid, even if it still wanted to advance a wide regulatory solution. The fact that the policy was still in development after over two years speaks to the difficulty of finding a workable solution. We and other stakeholders continue to agree that the policy remains poorly thought out and should shift to procedural accountability.48

EU copyright laws

The EU passed the Copyright Directive in June 2019. We ran a strong campaign against restrictions on fair dealing and reuse of weblinks. In particular, we opposed Article 17 (previously Article 13), which requires site owners to proactively detect and remove material that potentially infringes copyright, making it hard to envisage how individuals can use existing copyright exceptions for news and parody. Public discourse has called this an ‘attack on memes’. The detection requirement appears to require platforms to monitor the users’ communications for infringements.In March 2019, in anticipation of the final European Parliament vote, we attracted 866 submissions to our email-your-MEP campaign and met with EDRi to encourage a pan-European lobbying trip. We compiled a summary of lobbying insights gained from earlier such trips to inspire other members to join us. Our activists and others from other organisations went on lobbying trips to Brussels and Strasbourg on the eve of the vote, and Campaigns Manager Mike Morel met with aides to about two dozen MEPs.

Concern about the Directive was widespread. A petition attracted over 500,000 signatures, and over 170,000 protesters attended street demonstrations across Europe. Nevertheless, the EU Parliament and Council passed it into law. Promises to limit the damage were made, including to avoid general monitoring of communications. The EU and member states continue to struggle to find realistic means of implementation.

Although the UK backed the Directive’s passage, only a few months later, the UK Government decided it would not transpose it in the UK.

Other free expression work

Free expression reports

In order to ensure that we had a full view, we evaluated the free expression problems facing the UK in two reports. In the first, we focused on the impact of informal mechanisms to remove or restrict material. Nominet suspends over 30,000 domains annually without a court order.49 The agencies making the requests generally offer little transparency or clarity about why they ask, and there is no provision for explaining to users who land on suspended domains. The Counter-Terrorism Internet Referral Unit claimed to have requested the removal of 300,000 pieces of material,50 again with little or no supervision and no authorisation mechanism.51 As a result of our report, Nominet ran a consultation in October 2019 on their policies.52 Our second report considered general questions of intermediary liability, process, and notice and takedown regimes in advance of the government’s Online Harms white paper.53

Blocked.org.uk

Our growing body of evidence from UK Internet providers’ filtering systems shows the importance of maintaining consent for filtering, and creating a basic means to get wrongly blocked material reinstated. Many ISP customers clearly do not fully understand filters, or why they may have been applied to mobile or domestic connections. Filtering damages a wide range of businesses through no fault of their own.

Our report Collateral Damage in the War Against Online Harms helped give firm evidence of the scale of the problem.54 Our tool now tracks how efficiently ISPs respond to complaints; some take weeks to check reports and in many cases they were unable or unwilling to correct mistakes, instead deferring to their filtering providers. This approach is unacceptable.To their credit, mobile operators engaged with ORG after the report to try to resolve some of the problems we noted. While we disagree with the lack of consent prior to applying blocks, we acknowledge their co-operation to improve appeals processes and deal with some common problems, such as mis-classifying CBD sellers as promoting illegal drugs.

Online Surveillance

Surveillance legal challenges

Following Edward Snowden’s 2013 revelations of GCHQ mass spying, ORG partnered with Big Brother Watch, English PEN, and computer scientist Dr Constanze Kurz to launch a challenge. On September 13 2018, the European Court of Human Rights (ECtHR)55 ruled that the UK’s bulk interception programmes breached the European Convention on Human Rights. The Court found that the UK’s mass surveillance programmes Snowden revealed ‘did not meet the “quality of law” requirement’ and were ‘incapable of keeping the “interference” to what is “necessary in a democratic society” ’.
Though this was a victory for us, the decision stopped short of declaring bulk interception illegal, instead faulting poor oversight.This judgment was the Court’s first ruling on the UK mass surveillance programmes that Snowden disclosed.56 We still await a final judgment from the Grand Chamber on the legality of bulk collection.


Our work in Scotland continued to grow, and 2019 saw our influence and impact increase.Built on the campaigns discussed above, our early engagement with Scottish civil servants led to their decision not to take forward trials of electronic voting. We continued our engagement with the Scottish Government on digital identity systems. A select group of ORG’s membership in Glasgow worked with the Scottish Government’s user design team on building transparent systems for users to retain control of their personal data. As a member of the Scottish Government’s Digital Identity Expert Group, our Scotland Director led a group of experts concerned about the lack of privacy standards in a meeting with the Scottish Digital Identity team, which renewed their focus on establishing both technology and policy to support strong privacy protections.

Our work on cyber kiosks – mobile phone extraction equipment – to be rolled out to all Police Scotland stations, was influential across the year. Our submissions on the issue in November 2018 raised fundamental human rights concerns.57 Our Scotland Director’s paper58 questioning the legal basis for Police Scotland to seize mobile devices was selected for presentation at the BILETA conference in Belfast, which he attended in person in April 2019. It was also sent to members of the Justice Sub-Committee on Policing at the Scottish Parliament, which had called for pausing the kiosks’ roll-out pending legal clarification.59

While there was no announcement, the kiosks, which had been due for roll-out at the end of 2018, had still not appeared by October 2019. In June 2019 the Scottish Cabinet Secretary for Justice announced an independent review60 of the legal and ethical issues arising from emerging technology.Our continued push to create a Scottish Biometrics Commissioner gathered momentum. ORG’s September response to the Justice Committee’s call for evidence on the Scottish Biometrics Commissioner Bill61 was quickly followed by a joint letter, led by ORG with sign-ons from Amnesty International and Big Brother Watch, calling to widen the Scottish Biometrics Commissioner’s remit.62

The written submission led the Justice Committee to invite ORG to give oral evidence63 alongside the Scottish Human Rights Commission and the Information Commissioner’s Office in October, when the Committee was preparing its report to the Parliament, due in December.ORG also continued to expand its media influence by appearing on Good Morning Scotland to discuss Police Scotland’s plans for mobile phone extraction by Police Scotland, on BBC Scotland’s flagship news show The Nine to discuss FaceApp and biometrics in Scotland, and was interviewed by the Scottish Daily Record on age verification64 and The Ferret on mobile phone seizure and extraction by Police Scotland.65

Finally, ORGCon Scotland66 was held on 26 October 2019, for the first time since the current Scotland Director had come into position, and drew over 80 people despite the cold, including keynote speaker MSP Patrick Harvie.67 The programme explored Scotland’s unique digital rights environment, including topics like police cyber kiosks and Government plans for digital identification. The majority of attendees were non-ORG members but reported interest in joining, suggesting that this event reached new audiences. Evaluations showed a high satisfaction rate (8.5/10) and we received compliments on the high standard of debate in the panels. The most common negative feedback was that individuals wished it had been spread over two days so they could attend more sessions.

Community and activism

ORGCon

ORGCon 2019 in London68 was the biggest-ever, with over 700 attendees and an inspiring keynote by whistleblower Edward Snowden in his first appearance in front of a UK digital rights audience.69 The programme featured over 50 speakers across four rooms who covered free expression online, mass surveillance, digital privacy, and data and democracy. An interactive Action Space offered exhibits, art, and installations demonstrating the impact of technology on our lives.

Local groups

ORG’s 10 local groups ran 56 events across the UK supporting our work across the entire country. These groups are led by volunteer organisers in London, Bristol, Cambridge, Oxford, Norwich, Birmingham, Newcastle, Glasgow, Edinburgh, and Aberdeen. Events ranged from expert speaker panels, activist trainings, film screenings, and community outreach stalls to digital security workshops, cryptoparties, planning meetings, and pub socials. An organiser summit was held in Birmingham to train local group leaders and encourage cooperation amongst organisers.

Accountants’ Report to the Directors of Open Rights

You consider that the company is exempt from audit for the year ended 31 October 2019. You have acknowledged, on the balance sheet, your responsibilities for complying with the requirements of the Companies Act 2006 with respect to accounting records and the preparation of the accounts. These responsibilities include preparing accounts that give a true and fair view of the state of affairs of the company at the end of the financial year and its profit or loss for the financial year.In accordance with your instructions, we have prepared the accounts which comprise the Profit and Loss Account, the Balance Sheet and the related notes from the accounting records of the company and on the basis of information and explanations you have given to us.The accounting records and explanations provided appear to be reasonable, however we have not carried out an audit or any other review, and consequently we do not express any opinion on these accounts.

Urban Ledgers Limited

14 Thornhill Square

London N1 1BQ

Date: 20 July 2020

Income and Expenditure Account

for the year ended 31 October 2019

Balance Sheet

for the year ended 31 October 2019

For the year ending 31 October 2019 the company was entitled to exemption from audit under section 477 of the Companies Act 2006 relating to small companies.

No members have required the company to obtain an audit of its accounts for the year in question in accordance with section 476 of the Companies Act 2006.

The directors acknowledge their responsibility for complying with the requirements of the Act with respect to accounting records and for the preparation of accounts.

These accounts have been prepared in accordance with the micro-entity provisions of the Companies Act 2006 and FRS 105, the Financial Reporting Standard applicable to the Micro-entities Regime.

Approved by the Board on:

James Cronin, Director>

Financial Statements

Open Rights Report and Accounts 31 October 2019

Notes to the Accounts

for the year ended 31 October 2019

1 Accounting policies

Basis of preparation of financial statements

The accounts have been prepared under the historical cost convention and in accordance with the Financial Reporting Standard for Smaller Entities (effective April 2008).

2 Surplus income and the accumulated fund

As a not-for-profit company, all income is dedicated to its object of raising general awareness of digital rights matters and is credited to an accumulated fund to be used for future projects. As a company limited by guarantee and without share capital, income cannot be distributed to shareholders.

3 Corporation tax

It is our understanding that corporation tax is not payable by Open Rights as it is a not-for-profit company.

4 Supporter donations

Regular supporter donations are treated on a cash basis, i.e. are treated as pertaining to the month in which they are received.

5 Tangible fixed assets

Depreciation has been provided at the following rates in order to write off the assets over their useful economic lives:

Equipment: 33% straight line

6 Staff loans

Staff loans are extended typically for the purchase of season tickets, and are repaid by equal deductions from the employees’ salaries.

1 https://www.openrightsgroup.org/about/reports/open-rights-group-submission-to-uk-consultation-on-a-new-free-trade-agreement-with-australia.

2 https://www.openrightsgroup.org/about/reports/open-rights-group-submission-to-uk-consultation-on-a-new-free-trade-agreement-with-new-zealand.

3 https://www.openrightsgroup.org/about/reports/open-rights-group-submission-to-uk-consultation-on-the-uk-joining-the-comprehensive-and-progressive-agreement-for-trans-pacific-partnership-(cptpp).

4 https://www.openrightsgroup.org/about/reports/org-response-to-uk-consultation-on-a-new-free-trade-agree-ment-with-the-united-states

5 https://action.openrightsgroup.org/preserving-digital-rights-ukus-trade-negotiations

6 https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/818312/Public-consultation-on-trade-negotiations-with-the-United-States-Summary-of-responses.pdf

7 https://www.gov.uk/government/consultations/trade-with-thecomprehensive-and-progressive-agreement-for-trans-pacific-partnershipcptpp

8 https://www.openrightsgroup.org/blog/2019/leaked-uk-us-trade-talks-risk-future-flow-of-data-with-the-eu 

https://www.openrightsgroup.org/blog/2019/us-red-lines-for-digital-trade-with-the-uk-cause-alarm

https://www.openrightsgroup.org/blog/2019/org-calls-for-a-transpar-ent-and-participatory-trade-policy-after-brexit

 9 https://www.futurebook.co/ 

10 https://www.openrightsgroup.org/press/releases/2019/futurebook-parody-site-shows-a-dystopian-digital-future

11 https://action.openrightsgroup.org/pledge-future-freedom-and-rights

12 https://github.com/virteu and https://blogit.itu.dk/virteuproject/deliverables/

13 https://virteuproject.eu

14 15 https://docs.google.com/spreadsheets/d/1FsHUeh-YJJ-Pgo4eg-6wKgLF4MKt89-gf38vZhZLOGY/edit?usp=sharing_eil&ts=5d2c5cde

16 https://docs.google.com/document/d/1FdHY03uIHNpx0wGKAdLx0KcJBxv_ChjFaakB-r8BBts/edit?ts=5ce7a6bd

17 https://edps.europa.eu/sites/edp/files/publication/16-09-23_bigdata_opinion_en.pdf

18 https://www.youtube.com/watch?v=I3eb036cYNY. See also Lessons from the Facebook/WhatsApp merger case, Competition Merger Brief No. 1/2015, http://ec.europa.eu/competition/publications/cmb/2015/cmb2015_001_en.pdf. The EC noted that the degradation of privacy policies could affect other aspects of product quality or amount to an increase in the “price” paid by consumers for the product (i.e. requiring them to provide more personal data). The EC noted, however, that this would only be likely to affect competition where privacy was a key parameter of competition between fungible products.

19 Note particularly decision of the German Federal Cartel Office (Bundeskartellamt), February 2019: https://www.bundeskartellamt.de/SharedDocs/Meldung/EN/Pressemitteilungen/2019/07_02_2019_Facebook.html?nn=3591568. The Bundeskartellamt required Facebook in future to obtain explicit voluntary consent before collecting user information from non-Facebook services, including both Facebook-owned platforms such as Instagram and third-party websites and apps, and integrating it into Facebook user profiles. It reasoned that Facebook has a dominant position in the social network market which it abused by collecting, merging and using personal data in user accounts in an unfair way. Users suffered harm by losing control of their data and through diminished competition, as Facebook would become increasingly indispensable for advertising to them.

20 https://www.openrightsgroup.org/about/reports/response-to-the-competition-and-markets-authority-study-into-online-platforms-and-the-digital-advertising-market

21 http://www.legislation.gov.uk/ukpga/2017/30/contents/enacted

22 https://www.openrightsgroup.org/about/reports/response-to-bbfc-age-verification-consultation

23 https://www.openrightsgroup.org/about/reports/analysis-of-bbfc-age-verification-certificate-standard-june-2019

24 https://www.ageverificationfacts.org.uk/

25 https://www.theguardian.com/culture/2019/oct/16/uk-drops-plans-for-online-pornography-age-verification-system 

26 https://services.parliament.uk/bills/2019-21/dataprotectionindependentcomplaint.html

27 http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/exiting-the-european-union-committee/the-progress-of-the-uks-negotiations-on-eu-withdrawal/oral/84806.html#Panel1

28 https://www.crowdjustice.com/case/immigrationexemption/

29 https://www.huffingtonpost.co.uk/entry/home-office_uk_5b3f9f27e4b07b827cc02136

30 https://www.openrightsgroup.org/press/releases/2019/controversial-immigration-exemption-used-in-60-of-cases,-court-case-reveals

31 https://www.openrightsgroup.org/press/releases/2019/open-rights-group-and-the3million-seek-to-appeal-immigration-exemption-judgment

32 https://www.crowdjustice.com/case/immigrationexemption2/

33 https://www.theiet.org/membership/member-news/member-news-2019/iet-members-invited-to-attend-a-roundtable-on-electronic-voting/

34 https://www.theregister.co.uk/2019/08/19/cost_and_delivery_concerns_raised_over_mayoral_ecounting_system/

35 https://tech.newstatesman.com/policy/less-bark-more-bite-dissecting-public-opinion-on-the-regulation-of-online-political-ads

36 https://www.openrightsgroup.org/about/reports/response-to-the-consultation-of-the-house-of-lords-democracy-and-digital-technologies-committee

37 https://www.openrightsgroup.org/about/reports/org-response-to-ico-consultation-on-draft-framework-code-of-practice-for-use-of-personal-data-in-political-campaigning

38 https://youtu.be/hjLwFgVRizg?t=6049

39 https://fairvote.uk/appg-6th-session-illuminates-anti-democratic-aspects-of-digital-campaigning/

40 https://www.openrightsgroup.org/press/releases/2019/civil-society-organisations-raise-concerns-over-rules-designed-to-prevent-a-new-cambridge-analytica

41 https://news.sky.com/story/labour-failing-on-digital-rights-say-campaigners-11795068

42 https://news.sky.com/story/general-election-labour-party-ranking-voters-to-decide-who-to-canvas-11871822

43 https://news.sky.com/story/the-lib-dems-are-using-data-to-profile-every-voter-in-uk-and-give-you-a-score-11828202

44 https://wiki.openrightsgroup.org/wiki/Internet_Safety_Strategy

45 https://wiki.openrightsgroup.org/wiki/Digital_Charter

46 Nash, Victoria, Internet Regulation and the Online Harms White Paper: Stakeholder Workshop Summary (July 1, 2019). Available at SSRN: https://ssrn.com/abstract=3412790 or http://dx.doi.org/10.2139/ssrn.3412790

47 https://www.openrightsgroup.org/publications/response-to-consultation-on-the-online-harms-white-paper-july-2019/

48 Victoria Nash (2019) Revise and resubmit? Reviewing the 2019 Online Harms White Paper, Journal of Media Law, 11:1, 18-27, DOI: 10.1080/17577632.2019.1666475

49 https://wiki.openrightsgroup.org/wiki/Nominet/Domain_suspension_statistics

50 https://wiki.openrightsgroup.org/wiki/Counter-Terrorism_Internet_Referral_Unit

51 https://www.openrightsgroup.org/publications/uk-internet-regulation/

52 https://www.nominet.uk/nominet-announces-2019-uk-policy-consultation/ and https://www.openrightsgroup.org/publications/response-to-2019-nominet-consultation/

53 https://www.openrightsgroup.org/publications/org-regulation-report-ii/

54 https://www.openrightsgroup.org/publications/collateral-damage-in-the-war-against-online-harms/

55 https://www.openrightsgroup.org/press/releases/2018/uk-mass-surveillance-ruled-unlawful-in-landmark-judgment

56 https://dpglaw.co.uk/surveillance-case-goes-to-european-court-of-human-rights/ 

57 https://www.parliament.scot/S5_JusticeSubCommitteeOnPolicing/Inquiries/ICT-ORG-CyberKiosks.pdf

58 https://scotland.openrightsgroup.org/publications/report-seizing-the-future-seeking-clarity-of-law-in-the-seizure-and-search-of-mobile-devices-in-scotland/

59 https://www.parliament.scot/parliamentarybusiness/CurrentCommittees/111642.aspx

60 http://www.parliament.scot/parliamentarybusiness/report.aspx?r=12191&mode=pdf

61 https://scotland.openrightsgroup.org/publications/scottish-biometrics-commissioner-response-to-justice-committee-call-for-evidence/

62 https://scotland.openrightsgroup.org/publications/joint-letter-to-cabinet-secretary-humza-yousaf-on-scottish-biometrics-commissioner/

63 https://www.youtube.com/watch?v=tGYHSBo7O9w

64 https://www.dailyrecord.co.uk/news/scottish-news/new-porn-pass-law-sparks-14435214

65 https://theferret.scot/police-scotland-forensic-analysis-mobile-phones/

66 https://www.youtube.com/watch?v=WUG9GPBMfXU&feature=emb_title

67 khttps://youtu.be/WUG9GPBMfXU

68 https://youtu.be/3YzW2OQ7w9U

69 https://youtu.be/lgjLdcltFuI