The Saga Of the Privacy Shield…

Screen Shot 2016-02-09 at 06.23.54

(With apologies to all poets everywhere)

 

Listen to the tale I tell

Of Princes bold and monsters fell

A tale of dangers well conceal’d

And of a bright and magic shield

 

There was a land, across the bay

A fair land called the USA

A land of freedom: true and just

A land that all the world might trust

 

Or so, at least, its people cheered

Though others thought this far from clear

From Europe all the Old Folk scowled

And in the darkness something howled

 

For a monster grew across the bay

A beast they called the NSA,

It lived for one thing: information

And for this it scoured that nation

 

It watched where people went and came

It listened and looked with naught of shame

The beast, howe’er, was very sly

And hid itself from prying eyes

 

It watched while folk from all around

Grew wealthy, strong and seeming’ sound

And Merchant Princes soon emerged

Their wealth it grew surge after surge

 

They gathered data, all they could

And used it well, for their own good

They gave the people things they sought

While keeping more than p’rhaps they ought

 

And then they looked across the bay

Saw Old Folk there, across the way

And knew that they could farm those nations

And take from them their information

 

But those Old Folk were not the same

They did not play the Princes’ game

They cared about their hope and glory

Their laws protected all their stories

 

‘You cannot have our information

Unless we have negotiations

Unless our data’s safe and sound

We’ll not let you plough our ground’

 

The Princes thought, and then procured

A harbour safe and quite secure

Or so they thought, and so they said

And those Old Folk gave them their trade

 

And so that trade just grew and grew

The Old Folks loved these ideas new

They trusted in that harbour’s role

They thought it would achieve its goal

 

But while the Princes’ realms just grew

The beast was learning all they knew

Its tentacles reached every nook

Its talons gripped each face, each book

 

It sucked up each and ev’ry drop:

None knew enough to make it stop

Indeed, they knew not what it did

‘Til one brave man, he raised his head

 

And told us all, around the world

‘There is a beast, you must be told’

He told us of this ‘NSA’

And how it watched us day by day

 

He told us of each blood-drenched claw

He named each tentacle – and more

And with each word, he made us fear

That this beast’s evil held us near

 

In Europe one man stood up tall

“Your harbour is not safe at all!

You can’t protect us from that beast

That’s not enough, not in the least!”

 

He went unto Bourg of Luxem

The judges listened care’fly to him

‘A beast ‘cross the bay sees ev’rywhere

Don’t send our secrets over there!

 

The judges liked not what they saw

‘That’s no safe habour,’ they all swore

“No more stories over there!

Sort it out! We do all care!”

 

The Princes knew not what to do

They could not see a good way through

The beast still lurked in shadows dark

The Princes’ choices seemed quite stark

 

Their friends and fellows ‘cross the bay

Tried to help them find a way

They whispered, plotted, thought and plann’d

And then the Princes raised their hands

 

“Don’t worry now, the beast is beaten

It’s promised us you won’t be eaten

It’s changed its ways; it’s kindly now

And on this change you have our vow

 

Behold, here is our mighty shield

And in its face, the mighty yield

It’s magic, and its trusty steel

Is strong enough for all to feel

 

Be brave, be bold, you know you should

You know we only want what’s good”

But those old folk, they still were wary

That beast, they knew, was mighty scary

 

“That beast of yours, is it well chained?

Its appetites, are they contained?

Does it still sniff at every door?

Its tentacles, on every floor?

 

The Princes stood up tall and proud

“We need no chains”, they cried aloud

“Our beast obeys us, and our laws

You need not fear it’s blunted claws.”

 

“Besides,” they said, “you are contrary

You have your own beasts, just as scary”

The Old Folk looked a mite ashamed

‘Twas true their own beasts were not tamed

 

“‘Tis true our beasts remain a blight

But two wrongs never make a right

It’s your beast now that we all fear

Tell us now, and make it clear!”

 

“Look here” the Princes cried aloud

“Of this fair shield we all are proud,

Its face is strong, its colours bright

There’s no more need for any fright.”

Shield

The Old Folk took that shield in hand

‘Twas shiny, coloured, bright and grand

But as they held it came a worry

Why were things in such a hurry?

 

Was this shield just made of paper?

Were their words just naught but vapour?

Would that beast still suck them dry?

And their privacy fade and die?

 

Did they trust the shield was magic?

The consequences could be tragic

The monster lurked and sucked its claws

It knew its might meant more than laws

 

Whatever happened, it would win

Despite the tales the Princes spin

It knew that well, and so did they

In that fair land across the bay.

 

 

 

 

Does the UK engage in ‘mass surveillance’?

Screen Shot 2016-01-15 at 07.42.03

When giving evidence to the Parliamentary Committee on the Draft Investigatory Powers Bill Home Secretary Theresa May stated categorically that the UK does not engage in mass surveillance. The reaction from privacy advocates and many in the media was something to see – words like ‘delusional’ have been mentioned – but it isn’t actually as clear cut as it might seem.

Both the words ‘mass’ and ‘surveillance’ are at issue here. The Investigatory Powers Bill uses the word ‘bulk’ rather than ‘mass’ – and Theresa May and her officials still refuse to give examples or evidence to identify how ‘bulky’ these ‘bulk’ powers really are. While they refuse, the question of whether ‘bulk’ powers count as ‘mass’ surveillance is very hard to determine. As a consequence, Theresa May will claim that they don’t, while skeptics will understandably assume that they do. Without more information, neither side can ‘prove’ they’re right.

The bigger difference, though, is with the word ‘surveillance’. Precisely what constitutes surveillance is far from agreed. In the context of the internet (and other digital data surveillance) there are, very broadly speaking, three stages: the gathering or collecting of data, the automated analysis of the data (including algorithmic filtering), and then the ‘human’ examination of the results of that analysis of filtering. This is where the difference lies: privacy advocates and others might argue that the ‘surveillance’ happens at the first stage – when the data is gathered or collected – while Theresa May, David Omand and those who work for them would be more likely to argue that it happens at the third stage – when human beings are involved.

If the surveillance occurs when the data is gathered, there is little doubt that the powers envisaged by the Investigatory Powers Bill would constitute mass surveillance – the Internet Connection Records, which appear to apply to pretty much everyone (so clearly ‘mass’) would certainly count, as would the data gathered through ‘bulk’ powers,  whether it be by interception, through ICRs, through the mysterious ‘bulk personal datasets’ about which we are still being told very little.

If, however, the surveillance only occurs when human beings are involved in the process, then Theresa May can argue her point: the amount of information looked at by humans may well not be ‘massive’, regardless of how much data is gathered. That, I suspect, is her point here. The UK doesn’t engage in ‘mass surveillance’ on her terms.

Who is right? Analogies are always dangerous in this area, but it would be like installing a camera in every room of every house in the UK, turning that camera on, having the footage recorded and stored for a year – but having police officers only look at limited amounts of the footage and only when they feel they really need to.

Does the surveillance happen when the cameras are installed? When they’re turned on? When the footage is stored? When it’s filtered? Or when the police officers actually look at it.  That is the issue here. Theresa May can say, and be right, that the UK does not engage in mass surveillance, if and only if it is accepted that surveillance only occurs at the later stages of the process.

In the end, however, it is largely a semantic point. Privacy invasion occurs when the camera is installed and the capability of looking at the footage is enabled. That’s been consistently shown by recent rulings at both the Court of Justice of the European Union and of the European Court of Human Rights. Whether it is called ‘surveillance’ or something else, it invades privacy – which is a fundamental right. That doesn’t mean that it is automatically wrong – but that the balancing act between the rights of privacy (and freedom of expression, of assembly and association etc that are protected by that privacy) and the need for ‘security’ needs to be considered at the gathering stage, and not just at the stage when people look at the data.

In practice, too, the middle of the three stages – the automated analysis, filtering or equivalent – may be more important than the last one. Decisions are already made at that stage, and this is likely to increase. Surveillance by algorithm is likely to be (and may already be) more important than surveillance by human eyes, ears and minds. That means that we need to change our mindset about which part of the surveillance process matters. Whether we call it ‘mass surveillance’ or something else is rather beside the point.

Global letter on Encryption – why it matters.

I am one of the signatories on an open letter to the governments of the world that has been released today. The letter has been organised by Access Now and there are 195 signatories – companies, organisations and individuals from around the world.

The letter itself can be found here. The key demands are the following

Screen Shot 2016-01-11 at 06.10.45

It’s an important letter, and one that Should be shared as widely as possible. Encryption matters, and not just for technical reasons and not just for ‘technical’ people. Even more than that, the arguments over encryption are a manifestation of a bigger argument – and, I would argue, a massive misunderstanding that needs to be addressed: the idea that privacy and security are somehow ‘alternatives’ or at the very least that privacy is something that needs to be ‘sacrificed’ for security. The opposite is the case: privacy and security are not alternatives, they’re critical partners. Privacy needs security and security needs privacy.

The famous (and much misused) saying often attributed (probably erroneously) to Benjamin Franklin, “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety” is not, in this context at least, strong enough. In relation to the internet, those who would give up essential privacy to purchase a little temporary security will get neither. It isn’t a question of what they ‘deserve’ – we all deserve both security and privacy – but that by weakening privacy on the internet we weaken security.

The conflict over encryption exemplifies this. Build in backdoors, weaken encryption, prevent or limit the ways in which people can use it, and you both reduce their privacy and their security. The backdoors, the weaknesses, the vulnerabilities that are provided for the ‘good guys’ can and will be used by the ‘bad guys’. Ordinary people will be more vulnerable to criminals and scammers, oppressive regimes will be able to use them against dissidents, overreaching authorities against whistleblowers, abusive spouses against their targets and so forth. People may think they have ‘nothing to hide’ from the police and intelligence agencies – but that is to fundamentally miss the point. Apart from everything else, it is never just the police and the intelligence agencies that our information needs protection from.

What is just as important is that there is no reason (nor evidence) to suggest that building backdoors or undermining encryption helps even in the terms suggested by those advocating it. None examples have been provided – and whenever they are suggested (as in the aftermath of the Paris terrorist attacks) they quickly dissolve when examined. From a practical perspective it makes sense. ‘Tech-savvy’ terrorists will find their own way around these approaches – DIY encryption, at their own ends, for example – while non-tech savvy terrorists (the Paris attackers seem to have used unencrypted SMSs) can be caught in different ways, if we use different ways and a more intelligent approach. Undermining or ‘back-dooring’ encryption puts us all at risk without even helping. The superficial attractiveness of the idea is just that: superficial.

The best protection for us all is a strong, secure, robust and ‘privacy-friendly’ infrastructure, and those who see the bigger picture understand this. This is why companies such as Apple, Google, Microsoft, Yahoo, Facebook and Twitter have all submitted evidence to the UK Parliament’s Committee investigating the draft Investigatory Powers Bill – which includes provisions concerning encryption that are ambiguous at best. It is not because they’re allies of terrorists or because they make money from paedophiles, nor because they’re putty in the hands of the ‘privacy lobby’. Very much the opposite. It is because they know how critical encryption is to the way that the internet works.

That matters to all of us. The internet is fundamental to the way that we live our lives these days. Almost every element of our lives has an online aspect. We need the internet for our work, for our finances, for our personal and social lives, for our dealings with governments, corporations and more. It isn’t a luxury any more – and neither is our privacy. Privacy isn’t an indulgence – and neither is security. Encryption supports both. We should support it, and tell our governments so.

Read the letter here – and please pass it on.

MPs, privacy and the Wilson Doctrine

A ruling of the Investigatory Powers Tribunal in the case brought by MP Caroline Lucas, peer Baroness Jones of Moulsecoomb and former MP George Galloway, has effectively confirmed the death of the Wilson Doctrine, which was thought to protect the communications of MPs and members of the House of Lords. Indeed, to a great extent it confirmed that this doctrine had always been a bit of a fiction, despite being confirmed at various stages by Margaret Thatcher, Tony Blair, Gordon Brown and Theresa May – the latter as recently as July this year. ‘Obviously,’ Theresa May told the House of Commons in the all-too-short debate that made up the shabby process that pushed the Data Retention and Investigatory Powers Act through Parliament in double quick time, ‘the Wilson Doctrine applies to parliamentarians’. And yet, in practice, it doesn’t and it didn’t.

What does apply, as the Investigatory Powers Tribunal details, is a set of codes of practice and guidelines that are intended to govern the interception of communications in general, and which have some specific mentions of Members of Parliament. That these codes of practice have only come into the public eye recently – and in part because of legal actions taken by NGOs Liberty and Privacy International – and that they have unclear (and probably non-existent) legal enforceability, and some exist only in draft form just adds to the lack of clarity in the area. There can (and will) be many technical discussions about the ruling and its precise implications, but I do not propose to go into them here. Instead, I want to look at the bigger questions. The only overall conclusion that can be drawn from the ruling is that the Wilson Doctrine is effectively dead. The biggest question is whether that matters in any real way.

Do MPs deserve special protection?

It would be fair to say that MPs do not have a great reputation these days, if they ever have. They’re rarely considered honest or trustworthy, suspected of feathering their own nests through the expenses system, of being in the hands of lobbyists and largely only in it for themselves. There is a tendency to think that rather than their deserving more privacy than ‘ordinary’ people, they deserve less – they should be more open to our scrutiny than they are, more exposed to the public, given that they are supposed to be serving the public.

There is certainly an element of truth in that – and things like the exposé of Malcolm Rifkind and Jack Straw’s lobbying activities seemed to receive a good deal of public support, even if the Commons Standards Committee ultimately exonerated them. And yet MPs communications do matter, and there are some very good reasons to give them special protection. The principle point isn’t to protect the MPs themselves, but the people who are communicating with them. When people contact their MPs, they are often in a vulnerable position. They might be whistle-blowers, they might feel themselves in danger – what they are very likely to be doing is seeking help, and have nowhere else to turn. One of the key points about the Wilson Doctrine is not – or should not be – to protect MPs’ shady dealings with lobbyists or worse, but to protect the individual, vulnerable people who wish to communicate with them.

It’s easy not to feel sympathy for MPs. Indeed, it’s easy to feel anger, frustration or worse towards them – but they do play a critical role, and they are supposed to represent us. In that role, they need special protection, just as lawyers need special protection when communicating with their clients, and journalists with their sources. The point isn’t to protect the lawyers or journalists, but their clients and sources respectively.

Modern surveillance

One of the arguments that underpins the IPT’s ruling is that modern surveillance is different from that which existed in Wilson’s days – and that the oversight of that surveillance and the rules that govern it are better than what existed in Wilson’s days. The current system, according to this logic, the one based around the somewhat notorious RIPA, provides more oversight, more accountability and more transparency than has been seen before. As expressed in the ruling (para 34):

“MPs’ communications with their constituents and others are protected, like those of every other person, by the statutory regime established by Part 1 of RIPA 2000. The critical control is the requirement for a Secretary of State’s warrant, which can only be issued if the requirements of Section 5 are satisfied. That regime is sufficient to protect such communications and nothing further is required by the ECHR.”

It is a system that as the IPT points out has been found to be generally satisfactory by the European Court of Human Rights – though they do not note that the case in which this was found, Kennedy, was in 2011. This, critically, was before the revelations of Edward Snowden that ultimately suggested that our surveillance system is very, very different from what we (and presumably the ECtHR) thought it was.

Indeed, this latter point is really the key. Yes, since Wilson was PM we have a more detailed and rigorous legal regime surrounding interception of communications – but we also have a vastly different degree of interception going on. The number of ways that this interception goes on is enormous, and the arguments concerning it have not be resolved in any satisfactory way. Does interception ‘happen’ when data is gathered, or when it is accessed? Does gathering of meta-data constitute interception? Does algorithmic analysis of such data matter, or should we only be concerned when human intervention occurs? All these questions and many more are still very much under debate – to assume that the situation is clear and simple is to fundamentally misunderstand the current state of affairs. Even in the last few weeks, with the monumental invalidation of the Safe Harbor agreement, the US and the CJEU have disagreed fundamentally about what constitutes ‘indiscriminate surveillance’.

Further, the legal regime for surveillance, as review after review in the last year has pointed out, has not kept up with the nature of the surveillance, and the oversight has been revealed to be far, far less effective than it might be. The Intelligence and Security Committee has demonstrated itself to be little more than a rubber stamp body, engaging in little more than political theatre at times. Do we have effective oversight? The jury, I would say, is very much out on this: the clearly recognised need for reform of the laws governing surveillance puts it in severe doubt. The admission of the effective non-existence of the Wilson Doctrine makes this even clearer.

The need for reform

That puts yet another little bit of pressure on the need to reform. The forthcoming Investigatory Powers Bill is due to be published very shortly – will it have anything about the Wilson Doctrine in it? A parliamentary debate has been scheduled for Monday, specifically about the Wilson Doctrine, and I would hope that the question of whether to have anything specific about the Wilson Doctrine within the new bill, or within codes or regulations referred to in the bill, would be one of the issues discussed. Personally, I think our political representatives do need special protection, as do lawyers and journalists, but I think we all need more protection than we currently receive. I would also hope that the minds of MPs are focussed by a debate that actually impinges on their own activities, and that they can learn from this why all of us need and deserve privacy.

The Surveillance Elephant in the Room…

IMG_4425

Yesterday’s decision in the Court of Justice of the European Union (CJEU) in what has been dubbed the ‘Europe vs Facebook’ case was, as the Open Rights Group puts it, a ‘landmark victory for privacy rights’. Much has already been written about it. I do not propose to cover the same territory in any depth – the Open Rights Group blog post linked to above gives much of the background – but instead to examine the response of the European Commission, and the elephant in the Commission’s room: surveillance.

The judgment was published yesterday morning, and its essence was very simple. The ‘safe harbor’ agreement, which effectively allows personal data to be transferred from the EU to the US by some 4,000 or so companies, was declared invalid, because though under the agreement the relevant US companies promise to provide protection for that data in many ways – security, promising not to repurpose it, misuse it, hold it longer than necessary and so forth, essentially along the lines of European Data Protection law – there was one thing that it could not provide protection from: surveillance by the US authorities.

As the CJEU put it (paragraph 94 of the ruling):

“…legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life…”

This is where the European Commission comes in. It was the Commission that made the ‘safe harbor’ decision, setting up the safe harbor system, which should, in accordance with data protection law, have ensured that data was adequately protected in the US. The Commission did not ensure that – and did not even state that it did – primarily because the state of US surveillance law (and, as far as we know, US surveillance practice) could not allow it. US surveillance law means that ‘national security, public interest, or law enforcement requirements’ override privacy and other rights where non-US citizens are concerned, and EU citizens have no form of protection against this, or legal remedies available.

The Elephant in the Room

This, it must be clear, is a fundamental issue. If the US can do this, without control or redress, then whatever systems are in place, whatever systems are brought in to replace the now invalidated ‘Safe Harbor’, will similarly breach fundamental privacy rights. No new ‘safe harbor’, no individual arrangements for particular companies, no other sidestepping plans would seem to be possible.  Unless US surveillance law – and, US surveillance practice – is changed, no safe harbor would seem to be possible.

The Commission, however, does not seem willing – or perhaps ready – to confront this issue. Their brief statement in response to the ruling, published yesterday afternoon, does not mention surveillance even once. That in itself is quite remarkable. The closest it gets to accepting what is, in fact, the essence of the ruling, is a tangential reference to ‘the Snowden revelations in 2013’ without mentioning anything about what those revelations related to. There is no mention of US surveillance law, of the NSA, of national security or of anything else relating to it. The surveillance elephant in the room looms over everything but the Commission seems to be pretending that it does not even exist.

The US authorities, however, are quite aware of the elephant – in a somewhat panicky press release last week, between the opinion of the Attorney General that presaged the CJEU ruling, the ‘US Mission to the European Union’ said that the ‘United States does not and has not engaged in indiscriminate surveillance of anyone, including ordinary European citizens‘. They do not, however, seem to have convinced the CJEU of this. Far from it.

Heads in the sand

In a way it should not be a surprise that the Commission seems to have their heads in the sand about this issue. It is not at all easy to see a way out of this. Will the US stop or change its surveillance practices and law? It is hard to imagine that they would, particularly in response to a ruling in a European court. Can they provide convincing evidence that they are not engaging in mass, indiscriminate surveillance? Again it seems unlikely, primarily because the evidence points increasingly precisely the opposite way.

There are big questions about what actually constitutes ‘surveillance’ – does surveillance occur when data is ‘collected’, when it is accessed automatically or analysed algorithmically, or when human eyes are involved? The US (and UK) authorities suggest the latter, but the European Courts (both the CJEU and the European Court of Human Rights) have found that privacy rights are engaged when data is gathered or held – and rightly so, in the view of most privacy scholars. There are many reasons for this. There is a chilling effect of the existence of the surveillance apparatus itself and the ‘panopticon’ issue: we alter our behaviour when we believe we might be being watched, not just when we are watched. There is the question of data vulnerability – if data has been gathered, then it might be hacked, lost or leaked even before it is analysed. The very existence of the Snowden leaks makes it clear that even the NSA isn’t able to guarantee its data security. Fundamentally, where data exists, it is vulnerable. There are other arguments – the strength of algorithmic analysis, for example, may well mean that there is more effective intrusion without human involvement in the process, the importance of meta-data and so forth – but they all point in the same direction. Data gathering, despite what the US and UK authorities might wish to say, does interfere with our privacy. That means, in the end, that fundamental rights are engaged.

What happens next?

That is the big question. The invalidation of safe harbor has huge repercussions and there will be some manic lobbying taking place behind the scenes. The Commission will have to consider the surveillance elephant in the room soon. It isn’t going away on its own.

And behind that elephant there are other elephants: if US surveillance and surveillance law is a problem, then what about UK surveillance? Is GCHQ any less intrusive than the NSA? It does not seem so – and this puts even more pressure on the current reviews of UK surveillance law taking place. If, as many predict, the forthcoming Investigatory Powers Bill will be even more intrusive and extensive than current UK surveillance laws this will put the UK in a position that could rapidly become untenable. If the UK decides to leave the EU, will that mean that the UK is not considered a safe place for European data? Right now that seems the only logical conclusion – but the ramifications for UK businesses could be huge.

More huge elephants are also looming – the various world-wide trade agreements currently being semi-secretly negotiated, from the TPP (Trans-Pacific Partnership – between the various Pacific Rim countries including the US, Australia, NZ, Japan) to the TISA (the Trade In Services Agreement), TTIP (Transatlantic Trade and Investment Partnership – between the EU and the US) and CETA (Comprehensive Economic and Trade Agreement – between Canada and the EU)  seem to involve data flows (and freedom from government interference with those data flows) that would seem to fly directly in the face of the CJEU ruling. If data needs to be safe from surveillance, it cannot be allowed to flow freely into places where surveillance is too indiscriminate and uncontrolled. That means the US.  These agreements would also seem likely to allow (or even require) various forms of surveillance to let copyright holders ensure their rights are upheld – and if surveillance for national security and public safety is an infringement of fundamental rights, so would surveillance to enforce copyright.

What happens next, therefore, is hard to foresee. What cannot be done, however, is to ignore the elephant in the room. The issue of surveillance has to be taken on. The conflict between that surveillance and fundamental human rights is not a merely semantic one, or one for lawyers and academics, it’s a real one. In the words of historian and philosopher Quentin Skinner “the current situation seems to me untenable in a democratic society.” The conflict over Safe Harbor is in many ways just a symptom of that far bigger problem. The biggest elephant of all.

The ethical case for ad-blocking

The ad-blocking wars have been hotting up over the last few months – triggered in part by Apple’s integration of ad-blocking into the new version of iOS, the operating system for iPhones and iPads. Some of the commentary, particularly from those associated with the advertising industry, has been more than a touch hyperbolic. Seasoned internet-watchers will be very familiar with ‘such-and-such will break the internet’ stories: the number of things that we’ve been told will break the internet over the years is huge. It’s as familiar as the ‘such-and-such technology/practice will kill music’ stories that have been around since the advent of recording – from home-taping to file-sharing, music has died almost as often as Sean Bean in the movies. And yet music still lives. And thrives. As does the internet, despite all the things that should have killed it.

The latest idea is that ad-blockers will break the internet. A particular piece in The Verge has been very widely read and shared – which puts forward the entirely believable suggestion that Apple has included ad-blocking in iOS as part of its global war with Google and Facebook. The overall premise is highly convincing – and of course Apple will do whatever it can to ‘win’ against Google and Facebook, and of course this is an opportunity to make some ground. Both Google and Facebook do make their money (or most of it) from advertising, so restricting, controlling or blocking advertising could potentially reduce that income. And Apple is a business, and will be looking for opportunities that give it a commercial advantage over its rivals. So, however, are Google and Facebook – despite their efforts to portray themselves as providers of free and wonderful services to all, guardians and supporters of freedom of expression and so fundamental to the infrastructure of the internet that we love that any challenges to them (and their business models) are challenges to the internet itself.

Publishers and the advertising industry – and in particular bodies that ‘represent’ the advertising industry – are equally aggressive, suggesting that ad-blocking is ‘unethical’, ‘hypocritical’ or worse. They have pursued ad-block software providers in the courts in Europe – consistently losing, most recently in Germany last week, where the makers of AdblockPlus made their fourth successful defence against a legal challenge. The media onslaught has been extensive, and supported by many commentators. And yet Adblock software seems to be increasingly popular and successful, both on computers and on mobile.

Why is this? Is it because those who use ad-blocking software are unethical? Because they come from the ‘something for nothing’ culture? Because they don’t understand the economics of the internet, and so are blindly going down a route that can lead only to disaster? I don’t think so. The reverse: I think that users of ad-blocking software are taking a positive route both ethically and economically. If anything, it is by extending the use of adblocking software that the future of the internet is being secured, not the reverse. The more people that use adblockers, the better the future for the internet.

Why do I think this? Well, first of all, I look at some of the positives and negatives of the use of adblockers.

In favour of ad-blocking:

  1. Makes your screen clearer and makes it easier to find and read the content (particularly important on mobile)
  2. Makes the experience cleaner, clearer and less annoying
  3. Speeds up your connection – stops those processor-hungry video ads in particular
  4. Saves you money if you pay for data (which many people do)
  5. Reduces your chances of picking up malware
  6. Protects (to some degree) your privacy by stopping trackers and profilers
  7. Protects (to some degree) your privacy by stopping others (e.g. government agencies) from piggybacking on the trackers and profilers
  8. It’s your freedom of choice to put whatever software you like on your own equipment.

Against ad-blocking

  1. Disrupts the current advertising model that supports much of the free content on the internet
  2. Stops you receiving relevant and attractive ads tailored to your profile and behaviour

This second anti-ad-blocking point is a stretch to say the least, though it is one that the advertising industry likes to push. I am far from convinced. That then leaves only the first point, that using adblockers disrupts the advertising model. And it does, no question about it. It has the potential to disrupt it hugely, which is why the advertising industry and the publishers that are supported by it are in such turmoil.

The points in favour of ad-blocking, however, include some very strong ones. Fundamentally, and this is the point that the advertising industry seems very reluctant to admit, the current model is broken. Very badly broken, from the point of view of the user – and particularly the mobile user. The first four points are critical: speed of connection for mobile is a fundamental issue, most people pay for data, and the screens of even the biggest phones (I have an iPhone 6 plus) are small enough that advertisements often make pages all but impossible to read. One of my favourite newspapers, The Independent, was completely unreadable on my phone until I installed an ad-blocker.

The remaining points are more ‘niche’ – I am a privacy advocate, so the privacy points really matter to me, but I realise that not all people care as much as I do, even if I believe they should – but the first four are strong enough that the points against ad-blocking would need to be very compelling, and ultimately, to me at least, they are not. Indeed, precisely the opposite.

The current situation is unsustainable

Let me return to the main point against ad-blockers. They disrupt the current advertising model that underpins much of the ‘free’ internet. Two key words: disrupt and current. Privacy-invasive, processor-intensive, screen-filling advertising is very much the current system, not something that has always existed nor something that need always exist. To assume that a current model is a ‘required’ model, is a necessary model and will (and must) last forever is ridiculous in the face of the most cursory examination of history. Things change all the time – and sometimes that change is necessary. For many people (as the uptake of adblockers reveals) the change in the current advertising model is necessary right now.

The need for disruption

The question then is how the situation can change – and part of that is the need for disruption. Without disruption, nothing will change. That is where adblockers come in, and why the use of them is a positive ethical step. If we want change, we have to act in order to make that change happen. Without adblockers, would the advertising industry be willing to change their model? The evidence points strongly against that. Advertisements have become more intrusive, more processor-hungry, more screen-filling over recent months and years, not less so. The past record of the advertising industry is not one to be celebrated. Here are just a few examples:

  • They have pretty consistently fought against attempts to make advertising less intrusive, and supported the worst excesses of advertisers. Phorm, the creepiest and most privacy invasive of all, which thought it was OK to monitor peoples entire internet activity without consent, and even engaged in extensive secret trials without telling anyone, was supported directly by the industry bodies right until the end, when its model was ditched in the face of legal threats, EU action and being abandoned by its business partners.
  • The Do Not Track initiative – through which advertisers were intended to abide by user choices set out in their browsers – was so heavily undermined by the advertisers that it fell apart. Firstly they turned ‘do not track’ into ‘do not target’ – still tracking those who opted out, gathering data and profiling them, but not serving them with targeted ads. Then they refused to accept the idea that ‘not being tracked’ could be set as the default, saying that they would ignore that choice.
  • Google and others appear to have effectively side-stepped the do not track settings in the Safari browser, still tracking users though they had actively chosen not to be tracked: this is the backing to the Google vs Vidal-Hall case.

This is just a part of it – and does not even touch on the many other ethical issues connected to advertising. For advertisers to lecture others on ethics is more than a little hard to swallow.

How, then, can the advertising industry be persuaded to change its ways? The use of disruptive technology is one key tool. If the current dysfunctional situation is to be changed, and that would seem to many to be a good thing, then more use of that disruptive technology would seem to the necessary. Just as civil disobedience is sometimes critical to get social change, the same is true on the internet. It might be pushing it too far to say that we have a duty to use ad-blockers, but I don’t think it’s that much of a push.

There are some signs that some advertisers are taking the hint. The Electronic Frontier Foundation reported last week that ‘Adblockers and Innovative Ad Companies are Working Together to Build a More Privacy-Friendly Web’ – and I hope that this is a sign of better things to come. Would the ad companies have taken this kind of step without the uptake of adblockers? I think it highly unlikely.

What is clear to me, however, is that we need a new economic model to replace the current broken one. I do not know what that model will be, but I am confident that it will emerge. The internet will not ‘break’, any more than the music industry will collapse. Our disruption is part of how that new model will be created and developed. We should not be cowed by the advertising industry, particularly on ethical grounds.

The Labour Purge…. and social media privacy.

The so-called ‘Labour Purge’ has many disturbing elements – from the motivations behind those who might ‘need’ to be purged to the motivations of those who want to purge them – but there is one aspect that appeared yesterday that seems to have been largely ignored: the attitude to people’s privacy. There was one particular statement, reported in the Guardian, that I found particularly disturbing:

Screen Shot 2015-08-25 at 20.15.25

There are many different elements to this statement that should bother us, but two linked point are particularly disturbing. Firstly, it suggests that the party has been scouring the internet to find social media profiles of people who have registered. Secondly, it seems to suggest that for people not to have clearly identifiable social media profiles is suspicious.

Privacy in public

The first idea, that it’s ‘OK’ to scour the net for social media profiles, then analyse them in detail is one that is all too common. ‘It’s in the public, so it’s fair game’ is the essential argument – but it relies on a fundamental misunderstanding of privacy, and of the way that people behave. Privacy isn’t two valued, with information either ‘public’ or ‘private’. It’s not even a spectrum, with some things more private, other things more public. It’s much more complex and nuanced than that. Some things we want to keep private from some people, and are happy to share with others. Some things we change our minds about. Time and context can change things. You might be happy for your friends to know something, but not your parents – or your kids. And vice versa. And it’s not about ‘hiding’ ‘bad’ stuff – again, it’s far more complex than that.

With social media this is particularly important. Though we should be wary of ‘real world’ analogies, in the context of politics it might be worth comparing the sort of conversations people have on Twitter, for example, with those we have in the pub. It’s a public place, and the things we say are ‘in public’, but when you chat with your mates around a table in a corner of the pub, do you expect that conversation to be recorded, and then pored over by your employers, the police, your relatives, your enemies, the local morality police etc? Do you think it would be OK for someone to have a microphone on the table next to you, and a camera hidden in their pint glass? Yes, this is ‘in public’, but in practice we do expect some degree of privacy – and if we didn’t, we wouldn’t have the kinds of important conversations that we do. If we expect to be watched and recorded, we’re more guarded – and less honest. We should encourage privacy, not ride roughshod over it, if we want honesty, freedom of speech, intelligent political debate and so on. Labour’s approach here is quite wrong.

Anonymity in social media

The second point is just as important. We should not expect people to have social media profiles – let alone identifiable social media profiles. What is more, this is particularly important for some of the people that Labour should care about and support the most. People may be ‘digitally excluded’, for a start – but they might also have extremely valid reasons to be pseudonymous on the internet. Vulnerable people, in particular, might need pseudonymity to protect them from those to whom they are vulnerable. Whistleblowers. People with abusive spouses. People with abusive or manipulative employers. Trade unionists, for example, might have that status used against them – there’s a reason that Trade Union membership is considered ‘sensitive personal data’ under the Data Protection Act. People might wish not to have their religion revealed to all and sundry. People might wish to separate their personal and professional lives for perfectly good reasons.

Respecting and supporting people

There is much more to say on this subject – but the underlying issue is the one that is most disturbing. What the Labour Party is doing may well breach the Data Protection Act – there is a discussion to be had here – but it is certainly at least verging on the creepy. It displays an attitude to people who wish to support them that is disappointing to say the least. It displays a distrust of – even a contempt for – people that should worry us.

Did they ask the people who applied to become supporters if it was OK for them to be scrutinised in this way? Did they inform them that they would be scrutinised in this way? Did they even think that it might be an issue? Did they check who would be doing the scrutiny, and what they would do with the data that they gathered? Have they compiled databases with the scrutiny information in – something that would certainly engage the Data Protection Act? Are there blacklists? How have they ensured that this data, these lists, are secure and not open to misuse? Have they even asked any of these questions?

The underlying attitude seems to be one of the classic and hideous misunderstanding of privacy: ‘if you’ve got nothing to hide, you’ve got nothing to fear’. If that’s still the attitude of the Labour Party, even after all the revelations of the last few years, they need to step back and think again.

Labour should embrace privacy

The Labour Party should embrace privacy, not ride roughshod over it. Privacy should protect the weak against the powerful. It should enable people to organise, to support themselves with and as a community. It should be precisely the sort of thing that Labour should support. They should remember the way that the powerful – whether governments, corporations, criminals or other powerful groups – invade privacy in order to cement and wield their power. They should remember how vulnerable people and vulnerable groups need privacy. They should always have known this – but now, particularly now, they should be aware of it, and change both their attitude and their actions.

DRIPA overturned…. an explanation and comment

The ruling in the High Court that overturned the Data Retention and Investigatory Powers Act (DRIP) may well turn out to be a significant one. At the time that it was passed, academics and privacy advocates were deeply disturbed not just by the bill but by the way it was passed – I blogged a number of times on the subject, including an Open Letter from myself and other academics, and a comment on the shabby process through which it was passed.

Our concerns appear to have been well founded – hence the overturning of the law – but they are part of a much bigger process through which the whole of our surveillance system is being held up to scrutiny and found wanting. The Anderson Report, the RUSI report, the rulings of the Investigatory Powers Tribunal and now this High Court ruling show a growing feeling that the current situation is unacceptable. It is no longer sufficient for the authorities to say ‘trust us’ with surveillance. Indeed, the more that comes out, the less they appear deserving of that trust. The passing of DRIPA, without proper scrutiny, without proper debate, and ignoring the criticisms of experts, showed contempt for people and for the nation – it is a very good thing that it has now been overturned. What happens next is another matter – but one that we should watch very carefully indeed.

Below is a post from the LSE Media Policy Blog, by Lorna Woods, explaining today’s ruling, reposted with permission.


Explaining the ruling that overturned the UK’s Data Retention & Investigatory Powers Act

The British High Court just invalidated the UK’s bill on retention and investigation of communications data that was enacted in 2014 in the wake of the overturning of the EU Data Retention Directive by the European court. Lorna Woods of the University of Essex explains the ruling and its implications. 

In a very rare outcome, the English High Court has declared that the Data Retention and Investigatory Powers Act (DRIPA) is inconsistent with European Union law and therefore is “disapplied”, although the Court suspended the effect of its order until after 31 March 2016. Liberty to appeal was granted.

DRIPA was rushed through Parliament last summer, much to the consternation of many, as this judicial review action evidences. DRIPA had been enacted in the wake of the Digital Rights Ireland decision of the European Court of Justice invalidating the Data Retention Directive (2002/58/EC), and the recognition that some of the activities of the police and security forces in this country in terms of surveillance and data access in any event had at best very dubious legal authority. DRIPA went through on the basis, that rather than involving new principles, it constituted mere clarification of the law. It was on the basis of EU law following Digital Rights Ireland that this action was brought.

The Judgment

Argument in court concerned what Digital Ireland in fact said, and the impact a ruling on a directive should have on national legislation designed to implement it. The High Court argued that, although Digital Rights Ireland related to the Directive and not national legislation, the ECJ was questioning whether the EU legislature had, by instituting its data retention rules, overstepped the principle of proportionality in balancing the rights to privacy and data protection in the EU’s Charter on Fundamental Rights against law enforcement and national security objectives (see Articles 7, 8  on rights & Article 52(1) on limitations). The Court took the meaning of the case to be that:

‘the ratio of Digital Rights Ireland is that legislation establishing a general retention regime for communications data infringes rights under Articles 7 and 8 of the EU Charter unless it is accompanied by an access regime (laid down at national level) which provides adequate safeguards for those rights’. [para 89]

In terms of the criteria by which any domestic legislation should be judged, the English High Court held that “[w]e do not accept that the [ECJ’s ruling in Digital Rights Ireland] is authority for nothing more than the verdict [ie it only speaks to the validity of the directive], any more than we interpret the judgment as meaning that each criticism or concern which the Court expressed involves a fatal flaw in the legislation”. [para 90]. The English Court then came up with a three-part structure summarising the requirements of any such legislative scheme for it to be acceptable under EU law:

  • Derogation and limitations in relation to the protection of personal data must apply only is as far is strictly necessary, so any legislation must set down clear, precise rules regarding scope of derogation and safeguarding rights against risk of abuse;
  • Legislation establishing a general scheme of retention must expressly restrict the purposes for which the scheme is used to precisely defined serious crimes;
  • Prior review by a court is required [para 91]

The Court decided not to make a reference to the ECJ on the question, although similar questions are pending from a Swedish Court before the ECJon similar domestic legislation. The requirements in derived from Digital Rights Ireland were not satisfied by DRIPA.

Next Steps

Although the Court ordered disapplication, which means the law will not be enforced, it suspended the effect of that order to allow the Government time to re-legislate. It seems that there is a growing consensus that some change to allow proper safeguards is required – as can been seen in the Anderson Report and in the RUSI Report. It is to be hoped that this time, the Government gives adequate notice to allow proper scrutiny of the proposed measures: a lack of scrutiny has been an ongoing concern about the passage of DRIPA and other measures in this area.

This case will no doubt give rise to a number of legal questions – and leave to appeal has been granted – but two immediate questions occur. The first relates to the scope of the disapplication: the Secretary of State for the Home Department who was defending DRIPA in this case raised at the last minute whether national security fell within the scope of EU law. If it does not, the arguments raised here would not apply to it. The Court did not deal with this argument as it was raised at the least minute. Secondly, if the High Court accepts that DRIPA is incompatible with EU law, as it has just argued, then how does it have the power to suspend disapplication until March next year? According to the ECJ, EU law is supreme and needs no intervention from the domestic legal systems to make it so. From that perspective, today’s disapplication could not be delayed. The Government now needs to prioritise re-legislating on the retention and investigation of communications data.

This article gives the views of the author and does not represent the position of the LSE Media Policy Project blog, nor of the London School of Economics and Political Science.


 

GCHQ, the Investigatory Powers Tribunal and Amnesty – two small points…

The news that the Investigatory Powers Tribunal has sent a letter confirming and apologising for an ‘error’ in its ‘Determination of 22 June 2015’ – a ruling on the case taken by Liberty, Privacy International and others (notably including Amnesty International) has created quite a stir. The IPT has admitted that it mistakenly suggested that the breach they had suggested related to the Egyptian Initiative for Personal Rights had in fact been in relation to Amnesty International.

This will no doubt be analysed at depth – particularly by Amnesty International and others. I have just two points to make at this stage in relation to it.

A ‘technical’ breach

The first concerns the nature of the breach. Effectively, the breach was that data, once gathered, was held for too long – in the words of the determination of 22 June 2015 (paragraph 14):

“…the time limit for retention permitted under the internal policies of GCHQ, the intercepting agency, was overlooked in regard to the product of that interception, such that it was retained for materially longer than permitted under those policies.”

This is regarded as a ‘technical’ breach, as the IPT was satisfied that the data was not accessed after the expiry of the ‘relevant retention time limit’, but is still a breach of Article 8 of the ECHR. That, however, does not really give the whole picture. Data retention periods matter, and in a way that is far more significant than regarding a ‘technical’ breach as insignificant. Where a surveillance approach is based on ‘gather as much as possible, hold for later use’ is concerned, the data retention period is one of the most important dimensions.

Moreover, it should be noted that it is internal policy that determines the retention period here, not anything set down in law or subject to public scrutiny.

A deeply worrying confusion

The second, perhaps even more worrying issue, is the nature of the ‘confusion’ between the two NGOs. Amnesty International are a very different beast than the Egyptian Initiative for Personal Rights. Different in scale, different in nature, different in origin, different in focus. For the IPT to make an error like this is deeply worrying – and casts doubt on a number of aspects of their ability to properly scrutinise the activities of GCHQ. As noted in Paragraph 3 of the Determination of 22 June 2015

“The Tribunal has also found it useful and important to ask itself in the course of its consideration the following questions (derived from an amalgam and adaptation of the submissions of Mr Ryder QC and Mr Tomlinson QC):

(a)  What is the identity and nature of the claimants concerned and the nature of their communications and their activities (including their position as NGOs)?”

How can the IPT have made an appropriate decision based on the ‘identity and nature of the claimants’ – including their position as NGOs – when it was confused between two such radically different (in identity and nature) claimants as Amnesty International and the Egyptian Initiative for Personal Rights?

A question of trust?

David Anderson QC, the Independent Reviewer of Terrorism Legislation, entitled his recent report on surveillance ‘A question of trust’ and did so for a reason. Trust is needed – but it needs to be earned. One possible explanation for the IPT’s error is that they were basing their analysis on too much trust in GCHQ. Indeed, it appears it was GCHQ who alerted the IPT to their error – which in itself raises a lot of interesting points. These points, along with the nature of the error itself, makes it harder to trust the IPT’s ability to oversee the activities of GCHQ.

That matters. David Anderson’s conclusions seem even more significant now – and in particular his recommendation for a ‘new, powerful, visible and accountable intelligence and surveillance auditor and regulator’. The current system – from the rubber-stamping Intelligence and Security Committee to the IPT, does not inspire trust at all.

That British Bill of Rights…

The much discussed ‘British Bill of Rights’ is already being drafted. I can exclusively bring you some extracts* of the current draft.


Article 1 – Right to Life

Everyone shall have the right to life, unless their death is deemed necessary in the interests of national security, or if they cannot afford the relevant insurance to pay for hospital bills.

—-

Article 6 – Right to a Fair Trial

Everyone shall have the right to a fair trial unless they cannot afford it or the Home Secretary should decide that such a trial is not necessary in the interests of national security

—-

Article 8 – Right to a Private Life

Everyone shall have the right to respect for their private and family life, except if any intrusion in that private or family life is performed by the police, the security services, tabloid newspapers, Google, Facebook or any other commercial enterprise as agreed with the Secretary of State for Business, Innovation and Skills.

—-

Article 10 – Right to Freedom of Expression

Everyone shall have the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers, except if such information is deemed unsuitable, extreme, or otherwise inappropriate by the Home Secretary, the Prime Minister, Rupert Murdoch, Paul Dacre or the Taxpayers Alliance

—-

Article 11 – Freedom of assembly and association

Everyone has the right to freedom of peaceful assembly and to freedom of association with others, excluding the right to form and to join trade unions for the protection of his interests, and excluding any form of assembly or association that the Home Secretary should deem disorderly, embarrassing, annoying or otherwise objectionable.

—-

Article 12 – Right to Marriage

Everyone has the right to marry and found a family, but the choice of partner shall be considered subject to approval by the Home Secretary, the Minister for Inequality and the media.

—-

Scope of these rights

These rights shall be accorded to all British Citizens, except Scots, Welsh people, Irish people, those who the Home Secretary determines are undeserving of rights, or decides to strip citizenship from, or are determined by the media to be scroungers, immigrants or children of immigrants, internet trolls or persons otherwise objectionable in what the Prime Minister deems to be a democratic society.”


This is understood to be the current draft, but it is believed that certain members of the cabinet believe these rights are too extensive and too generous.

*This may not actually be the real thing.