Recursive censoring?

Most people will be familiar by now with the story regarding Leon Brittan and the paedophile dossier as well as Google censoring certain results after legal demands had been made (for more details on the story click here).

Now it seems things are getting a little stranger. Not only is Google apparently censoring results but pages are also disappearing from media organisations too. Virtually none of the mainstream press have covered this story but the one that has – The Daily Telegraph – appears to have decided to remove the article in question. Searching for ‘Leon Brittan PIE’ in google gets me this:

Capture

You’ll note that the second to last link refers to a Daily Telegraph article. Clicking on the link however just gives me a ‘missing page’ message from the Telegraph website. For those of you that are interested the URL that the hyperlink uses is this:

Clicky

So now it seems that the fact that the censoring is going on is now itself being censored.

The ICO: as useful as a chocolate teapot?

The ICO deals with two main areas of responsibility: dealing with appeals in regards to Freedom of Information requests and any issues connected with the Data Protection Act. Personally speaking I do have a degree of respect for the ICO when it comes to how they deal with matters pertaining to Freedom of Information. I might not always agree with their conclusions but it’s easy to see that some thought have normally gone into them. Data protection is, however, a different matter. Getting them to do anything seems to be up uphill struggle and often next to impossible. A good demonstration of this would be my recent complaint to them in regards to a form apparently set up on Tom Watson’s behalf.

Many of you will be aware of the plan for a free copy of the Sun to be delivered to each home in England – Liverpool excepted. A lot of you will also be aware of Labour MP Tom Watson’s idea that people should be given the opportunity to stop the free copy from being delivered to their house. For those of you not familiar with the story, you may want to visit the following site:

http://labourlist.org/2014/06/world-cup-blues/

So far so good. Personally I have no real problem with this. The questionable journalism shown in the immediate aftermath of Hillsborough deserves to be condemned. The demand to stop such free copies from being delivered was clearly there, and Tom Watson – or one of his friends – was able to provide a form that allowed people to send in their details. These details would then be forwarded to the Royal Mail. I had even initially visited the site with the intention of signing up myself.

However in doing all this Tom Watson also displayed a level of hypocrisy that I believe also deserves to be condemned.

He mentions the Printers Imprint Act 1961. This is an obscure law that most people would not even be aware of. He continues with how the law needs to be enforced and how a £50 fine ought to be paid for each copy of the Sun sent out that breaks this law. Unfortunately for Tom Watson however the form provided is completely unprotected. Data is also sent outside the EEA without any protection each time details are submitted. My personal view is that this goes against the Data Protection Act. The DPA is a more fundamental law than the one that Tom Watson used to attack those working at the Sun. If the Sun deserves to be punished for their actions then so does Tom Watson in my opinion.

The website set up for this purpose can be found here:

http://notothesun.nationbuilder.com

The form asks the user for their:

  • First name
  • Last name
  • Mobile number
  • Email address
  • Postal address

And then submits them in plain text with no protection whatsoever via a server located in a banana republic like Costa Rica courtesy of a US company outside the reach of UK regulators.

Over 7,000 people have apparently filled out this form.

I sent an email to the ICO inquiring about the legality of such a move. An abridged copy of their response follows:

Thank you for raising your concern with us about the collecting of personal data in connection with a campaign to stop the Sun newspaper from being delivered to individuals who do not want to receive it.

You say that the data capture form is not protected by SSL.

We want to know how organisations are doing when they are handling information rights issues. We also want to improve the way they deal with the personal information they are responsible for. Reporting your concerns to us will help us to do that.

Our role is primarily to consider whether there is an opportunity to improve the practice of the organisations we regulate, not to investigate or provide a formal adjudication on individual concerns.

As you are aware, the seventh data protection principle says that appropriate technical and organisational measures shall be taken against unauthorised processing of personal data and against accidental loss or destruction of, or damage to, personal data.

This means that organisations are under a duty to keep personal information secure. However, the DPA does not specify what action they should take. The DPA recognises that there is no ‘one size fits all’ approach to data security. It is therefore necessary for organisations to adopt a risk-based approach to the level of security required in any particular circumstances. The measures an organisation takes should be appropriate to the nature of the personal data and the harm that could result from a security breach.

The personal data in this case is not ‘sensitive’ in terms of the DPA definition. Neither is it particularly confidential. It does not, for example, include any details of bank accounts or credit card numbers. It is made quite clear what purpose the individual is providing their personal data for and what will happen to it. There is no indication that individuals are being misled in any way about what they are consenting to when they provide their personal data and it is entirely their choice to provide their personal data or not. Nevertheless, any security breach would cause inconvenience at the very least.

It is not entirely clear that Mr Watson is the data controller in this case but in view of the fact that his name appears in connection with the campaign, we will write to him to provide advice about compliance with the seventh principle.

In relation to your concerns about CloudFlare, as this appears to be a US-based company, it is outside the Information Commissioner’s jurisdiction.

We will not be taking any further action in relation to the specific points you raise at this time. However, we will retain details of these matters, to inform our overall view of current internet issues.

I also asked the ICO for their view of exporting data to the US or within the US sphere of influence given recent stories (not just the PATRIOT Act, but also FISAAA as well as the appearance of the complete lack of rights for non-Americans).

They have steadfastly refused to address this question. In addition they appear to have deliberated avoided dealing with the issue of exporting data outside the EEA by making it sound like the company is responsible for the export of data, rather the the person or persons setting up the form and choosing them as the provider. Cloudflare, the service provider that underpins the website in question, has offices in the UK. The website itself lists other UK organisations as users, but the ICO appears to have made zero effort to find out who was responsible for creating the form.

As for not being sensitive, personally I would suggest that somebody at the ICO read this:

http://blog.spiderlabs.com/2014/06/from-a-username-to-full-account-takeover.html

It would appear that I’m not the only one to notice the toothless nature of the ICO.

“One of the problems we have got as a community is that if you don’t fine people then they don’t do stuff.”

Martin Sugden, chief executive of security firm Boldon James, takes a dim view of his industry.

A veteran of the security industry, he believes the UK’s Information Commissioner’s Office (ICO) has been lax in punishing those who flout the data protection rules and are failing to deter bad behaviour.

Trawl through the security archive of CBR over the last few months and you would have to agree IT has a security problem.

[…]

He believes the office is not as investigative as it should be, and subsequently is “slow to affect things”.

http://www.cbronline.com/news/security/is-the-information-commissioner-doing-enough-to-protect-your-data-4311103

In my case ‘not as investigative as it should be’ would appear to be the same as ‘no investigation whatsoever’. It’s a real shame that we seem to have an ‘independent’ regulator that seems to be more concerned with the impact on the economy amongst other things than actually doing their job.

A lack of control over access to the French electoral lists?

Those who know me will know that I currently have French citizenship and as such am registered with the French consulate in London. The registration process involved providing certain personal details, including an email address. Since this didn’t seem unusual in any way I was quite content to provide one.

It would seem that control over who can access the electoral list held by the consulate is rather lax and as a result I had to put up with rather high levels of spam prior to the last election. Whilst this was frustrating it was at least understandable since part of the reason of the list in the first place is to facilitate communication between the candidates and those that can vote for them.

More worryingly however it would appear that access to these lists has been granted for other purposes unrelated to the electoral functions that the lists are supposed to facilitate. I started recently getting spam emails being sent to me advertising the existence of a new web based TV station aimed at French citizens living in the UK: angleterre21.tv.

It should be noted at this point that the email address I provided to the consulate is only an alias and was only ever provided to the consulate. Combine this with the specific intended audience of the email – French citizens in the UK – and it’s rather easy to come to the conclusion that the organisation behind angleterre21.tv was provided with my address by the French government.

I emailed the ICO in the UK about this as I’m also British, but they told me that since this involved the French consulate that it would have to be dealt with by the French authorities. To be fair this is what I expected but unfortunately the CNIL – the ICO’s French counterpart – make it surprisingly difficult for anybody abroad to contact them online. They don’t even provide an email address, which is in itself incomprehensible given the potential for French systems and laws to impact on their citizens living elsewhere around the world.

A telephone number or postal address is simply insufficient in such cases. Given the amount of time people tend to spend on hold would anybody want the astronomical phone bill that could result from an international phone call to the CNIL? In any case the ICO were kind enough to forward my concerns directly to the CNIL, so hopefully they’ll not only get my email but also act upon it.

While they’re doing that they could perhaps also look at some of my other concerns, one of which is why the French government is allowing personal information to be exported to a 3rd country with little or no rights to privacy for foreigners and no permission from the people concerned?

The website is hosted in the US. The owner, if his LinkedIn profile is to be believed, currently appears to live in the US and the bulk email service used is also located in the US. French authorities are happy, however, to see personal details entrusted to them sent to that country despite the continued lack of any privacy for French citizens there.

Why?

One law for the police, and one for everybody else?

Apparently a PCSO has been found guilty of illegally accessing police databases (the original article seems to have conveniently been removed).

This illegal access occurred over 5 years (which raises the question of why it took so long to catch her), but more importantly happened on 900 separate occasions. In addition she was only fined £500 rather than being handed a prison sentence. Apparently since she did not had the data onto 3rd parties she was not charged with a more serious offense.

A few points come to mind as a result of this:

  • £500 for 900 offenses. That equates to only a 56p fine for each offense. This soft of level of punishment is clearly insufficient.
  • The government appeals lenient sentences in other cases, but rarely if ever appear to do so when it involves the police. Previous emails sent to my MP seems to suggest that the government think that blanket support should be given to the police as they do a difficult job. This may well be the case, but all this attitude achieves is the perpetuation of corruption (institutional corruption?) that gets increasingly worse over time because of the refusal to deal with it.
  • How can it be proven in this case that the data was not handed onto 3rd parties? Even her own solicitor mentions the PCSO’s own ‘dire financial’ circumstances as part of her defense in the original article, and it’s difficult to see why they would do so if the purpose of the data gathering wasn’t financial gain.
  • Why the differentiation in sentencing? Why does it matter whether it was shared or not? Access was illegal, and given the difficulty in really proving that the data was never supplied to 3rd parties surely there should be no difference between the two crimes?
  • And a last point: why was this PCSO allowed access in the first place? Or are they increasingly taking the place of ‘normal’ officers to the point that this access is needed for their job?

I can understand being lenient if the situation isn’t clear; nobody expects either police officers or PCSOs to be 1st class lawyers after all. However the lenient sentencing in cases where there has been a clear cut abuse of access really is impossible to comprehend, at least in terms other than there being one law for them and one for the rest of us.

Allowing people to pay a pittance each time they commit a crime can only encourage the same crime to be committed time and time again. The police need to be whiter than white, not merely the rather dirty and grubby grey that they only seem to manage at the moment.

I emailed my MP (Chris Grayling) to ask him why this situation was allowed to continue (he also happens to be the current justice secretary so I assumed he would be interested in this type of matter). His response was rather brief:

Sentencing is always a matter for the Courts, but there are tough penalties available to Judges handling individual cases if they consider them appropriate in the light of the evidence presented to them.

Which doesn’t say why 1) tough sentences are rarely if ever applied when the police are involved and 2) why the government allows this situation to continue. Tough sentencing may be available to judges but they have to follow sentencing guidelines and laws as laid down by parliament. It seems odd that more isn’t done about this when the government has previously complained about judicial activism at the EU level and has shown a certain willingness to appeal against lenient sentences when it involves members of the public.

Why bother with PCCs?

By now most people will be familiar with the corruption that goes on within the police, as well as the inability to take account of the needs of the general public in regards to how the police deal with different types of crimes. PCCs – or police and crime commissioners – were introduced to try and rectify this problem and encourage the police to take account of the wishes of the public.

One might expect the PCC to be broadly supportive of the general public and to make an effort to hold the police to account. This is unfortunately not the case if recent events are anything to go by.

One of the regular posters at NoDPI.org recently attended a meeting that allowed the general public to ask the chief constable questions. The PCC was also there. A brief transcript of what transpired can be found here, and a number of quotes are included below.

Safe to say things did not go well. It seemed fairly clear at the outset that things were going to be difficult.

Sue Mountstevens quickly interrupted me, and urged me to be brief.

This line from the article is revealing, since the PCC seems more interested in making life easier for the chief constable rather than making sure he answer the questions put to him.

But what happened next was more disappointing. Far from offering an account, Nick Gargan simply laughed at me. He laughed in my face.

This fundamental lack of respect for a member of the general public is rather revealing, as is the PCC’s apparent complete failure to stop him from showing such contempt to somebody simply asking him a question. Again apparently nothing was done on her part to correct matters.

He quickly composed himself, but then tried to assert that intercepting communications was ‘not a crime’.

Let me repeat that: intercepting communications is not a crime in the chief constable’s opinion. This was rather a surprise given the number of journalists that have already been arrested for such offenses. Perhaps Nick Gargan should have a word with Brooks and Coulson? In any case there was more: the home secretary responded to my questions with the following quote (emphasis added by me):

The Regulation of Investigatory Powers Act 2000 (RIPA) includes offences of unlawful interception – i.e. interception without a warrant or other lawful authority. A person who is found guilty of unlawful interception is liable to imprisonment for a term not exceeding two years or to a fine, or to both.

RIPA also contains a power for the Interception of Communications Commissioner to serve a monetary penalty notice on a person whom he considers has intercepted a communication without lawful authority. Mr Seurre asks whether whether companies are subject to RIPA. Individuals and companies can be prosecuted under the unlawful interception provisions. In the event that an offence has been committed by a private company, an officer of that company may be subject to the sanctions set out above.

If Mr Seurre believes that oan offense has been committed, he should report this to the police. Alternatively he can contact the Interception of Communications Commissioners office at the following email address: info@iocco-uk.info

‘He should report this to the police’. What exactly would be the point of doing this if the police routinely ignore such reports? Surely any effort to do so would be an exercise in futility? Given recent stories about police and statistics I can only assume that this failure to recognise interception of communications as a crime is yet another effort to try and fiddle the numbers.

More worryingly however is the appearance of failure of the PCC to do anything in regards to the chief constable’s unacceptable behaviour and incorrect conclusions. As a result I sent her an email basically asking her why she thought such behaviour was acceptable and what she intended to do to try and mitigate the lack of knowledge within the police force, and also included the advice sent to me from the home office. Her reaction was rather disheartening:

I spoke to your friend and also replied to his email in November 2013, to address his concerns and he may well have already shared this with you directly. Your friend is aware that the Chief Constable gave his response to each person who raised a question and this was also heard by all the audience.

You are very welcome to attend any of the public forums to get a first-hand account of the Constabulary’s response and also my own replies. If you ask a question and then feel that the person who replies acts in a way that brings the Constabulary into disrepute or their conduct is below the professional standards expected then you can make a complaint. If an apology is due then I am keen that it is given as soon as possible and any poor conduct is rectified to improve the quality of service going forward.

If you are unable to attend a Public Forum but still wish to hear and see the event then you may prefer to listen and watch online via the web-stream. Please refer to my website (as below) for more details of my calendar and future events.

No admission – or denial – that he behaved inappropriately. No admission that the chief constable got things wrong or any indication that any measures will be taken to correct matters. Nothing useful at all in fact.

Perhaps it’s because the PCC is responsible for hiring the chief constable, but in my opinion she seems to be more interested in protecting him instead of encouraging him to do this job. At this point it’s difficult to see PCCs as anything more than highly paid PR sock puppets for the police. They certainly don’t seem to be interested in holding the police to account, and personally speaking I find it extremely difficult to see how they serve any useful purpose.

Just why should we be paying for PCCs? What purpose do they serve?

Who regulates the filtering?

The subject of filtering internet connections by default ‘for the children’ has repeatedly come up over recent months. Like many people I was concerned at the possibility for censorship and abuse. Together with many others I emailed my MP to ask about the filtering (using the extremely convenient writetothem.com website), and my MP was kind enough to forward me a copy of the response that he had received from the DCMS. A copy of that response can be found here.

It would appear that the response consists of… nothing. When you strip out all the meaningless double speak there is nothing left. They acknowledge that respecting rights is a problem yet give no details whatsoever on how those rights will be respected.

This sort of attitude isn’t just a problem for the person sat at their PC trying to access online services. When people think of using the internet they tend to only think of the end user. The end user, however, is only part of the equation. They would have nothing to use if it wasn’t for the people that actually own and run the websites. Those website owners have as much a right to privacy, freedom of expression and freedom of association as anybody else. These are rights guaranteed in the ECHR (see articles 8, 10 and 11) and yet the blunt approach that filtering represents appears to completely ignore these rights. I am not a lawyer, but I’d nevertheless also be curious to know how the lack of any formal appeals procedure to stop incorrectly applied censorship could possibly ever comply with article 13 of the convention.

It’s pretty much guaranteed that even with the best of intentions errors will creep in. We already have the clumsy use of existing laws to block access to such dens of depravity as the Radio Times, not to mention political blogs being blocked by the filtering implemented by mobile companies. The problem of incorrectly applied filtering is already so prevalent that entire organisations exist with the sole aim of dealing with this issue.

It’s already clear that without some form of rigorous oversight that not only will mistakes will be made, but that many of them will be entirely avoidable. People will be filtered out of existence completely unnecessarily when it comes to the British corner of the internet, and even more worryingly will have limited options when it comes to clearing up the mess that should never have happened in the first place.

Take TalkTalk’s approach for example: their ‘notice for website owners‘ consists of the following:

If you have a website and believe it is being blocked incorrectly by HomeSafe™ then please email homesafe.classification@talktalkplc.com, stating as a minimum your responsibility for the website (e.g. you may be the administrator, the site owner, or owner of the business advertised), the full name of the domain or url being blocked, and the category you believe it is being blocked under (e.g. Dating). This feedback will be reviewed by TalkTalk and changes may be made to HomeSafe™ as a result. However, TalkTalk will not reply to these requests nor enter into correspondence.

In other words: we won’t tell you when we filter your site. We won’t talk to you about what has happened or why. You don’t really have any rights to demand anything and tough luck if we decide you stay on the list …Oh, and by the way we want you to comply with these impossible demands too.

After all, if a site has been incorrectly filtered, how on earth are the webmasters supposed to state – ‘as a minimum’ – the category that they believe it has been applied to their website?

I was curious about who was actually responsible for regulating these systems. Cameron’s speech back in July appeared to suggest that OFCOM would be responsible for overseeing this scheme. I duly emailed OFCOM with the following questions:

  1. What right will website owners have to be notified that their website has been filtered?
  2. What sort of right to reply can website operators expect prior to filtering?
  3. What sort of right to compensation can website owners expect when their site has been incorrectly filtered?
  4. What minimum standards will be enforced to ensure that website owners can get their site unfiltered?
  5. In regards to such minimum standards, how long would be the maximum time that an ISP would be expected to deal with any complaint?
  6. What sanctions will ISPs face for incorrectly filtering a site?
  7. Finally what appeals process will exist if an ISP refuses to remove a page?

This was the reply received:

Ofcom has no general role in overseeing the use of network level filters by ISPs. We are in discussions with the Government with a view to undertaking research into the awareness that parents have of the broad range of measures that are available for the purpose of improving the safety of their children when online.  This would include non-technical as well as technical approaches.  We would also be looking at the confidence that parents have in using such measures.  We are discussing with the Government how we might report on the progress being made by the four main ISPs against the voluntary commitments they gave to the Government, which were widely reported in the media.

The specific questions you ask in your email relate to the operation of the filtering systems by the ISPs and as such are best addressed by those ISPs that are deploying them.

So who is responsible for overseeing the use of network filters? Are ISPs really going to be left to do as they see fit with nobody there to make sure they don’t at least try to avoid mistakes?

One other thing with this reply that ought to be noteworthy is the complete lack of any mention of webmasters and how their rights will be considered in all of this, which is odd considering how many livelihoods depend on web based businesses these days, not to mention the large chunk of people’s lives that are conducted online. The last sentence in the reply is also the cause of concern, since it implies that ISPs will be left to regulate themselves. We know from the disaster caused by the banking industry that self-regulation can often end up being a complete train wreck.

In any case the reply seemed to be at odds with the speech, since the speech included this:

That’s why I am asking today for the small companies in the market to adopt this approach too and why I’m asking OFCOM, the industry regulator, to oversee this work, judge how well the ISPs are doing and report back regularly.

I thought maybe that perhaps somebody somewhere had made a mistake, so I asked them again. I got a very similar reply.

So it seems that there will be no meaningful oversight of the filtering. This is the same filtering that was only every proposed because of bullying by the government and their threat of legislation. The government apparently won’t be introducing any checks or balances to make sure that these systems are run responsibly, even though the government is directly responsible for the existence of the filtering through their own actions.

I don’t accept that filtering is a good way to deal with keeping children safe. If we believe something is unsafe or inappropriate for a child to have then we should stop them from having it. We shouldn’t break the system in an attempt to accommodate the children. Parental responsibility rarely seems to get a mention. It should be up to them to decide what their children should and should not be using. They shouldn’t be leaving the job of parenting to mechanisms that can never work properly.

Trying to apply filtering to a family members of different ages and expecting it to work properly is madness. Doing the same to an entire country is sheer insanity.

People never seem to ask just why their children are using certain items. Take smartphones for example: just why are children allowed to use them? They don’t need internet access or cameras to stay in touch with parents, and yet the general public is being told they have to give up their privacy so that a false sense of security can be given to parents. Anybody who thinks sufficient restrictions can be placed on items such as ipads to prevent access to inappropriate material might also want to read this before supporting the idea of replacing real parenting with questionable technical measures. They might also want to consider the fact that a large chunk of such material is created by the children themselves. In such cases filtering is completely pointless since it can’t stop photos being sent from one child to another.

It may also be worth noting that whilst some may regard much of what’s blocked to be distasteful it’s still entirely legal. ISPs have no legal right to inspect legal communications, much less interfere or block them, without consent from the sender as well as the recipient. The sender in this case would be the website owner.

That said, if others insist on implementing such an ineffective method of child protection, then they really ought to at least make sure that the needs of others are taken into account. If the ability of webmasters to communicate with the outside world is going to be interfered with then it ought to be properly controlled, and not just done on a whim.