Yesterday, I blogged over at Open Rights Group Birmingham about the latest twists and turns in the development of the Investigatory Powers Bill, the government’s plans to increase online surveillance and permit widespread hacking of computer networks.
If this post piqued your interest in online privacy and you live in or near Birmingham, you might like to come to the next Open Rights Group Birmingham meetup, which is happening tomorrow (Wednesday 17 Feb) from 6.30pm at Birmingham Open Media.
At the meetup we’ll be teaching people simple, practical things they can do to protect their privacy and security online. I’m pleased to say we’ve had a really good level of interest in the event, with over 20 people down to attend. If you can’t make it along tomorrow, we’ll be holding regular meetups throughout the year.
As an organiser for Open Rights Group Birmingham, I have followed with interest and not a little weariness the twists and turns as the government’s draft Investigatory Powers Bill makes its way through the pre-legislative scrutiny phase.
Today, the House of Commons science and technology committee published a highly critical report on the bill, with its chair, Nicola Blackwood MP commenting:
The current lack of clarity within the draft Investigatory Powers Bill is causing concern amongst businesses. There are widespread doubts over the definition, not to mention the definability, of a number of the terms used in the draft Bill. The Government must urgently review the legislation so that the obligations on the industry are clear and proportionate.
In particular, the report highlights the following problems:
The feasibility of collecting and storing Internet Connection Records ICRs – including the very real problem of keeping these highly personal records from (non state-sanctioned) hackers.
Anxiety amongst communication providers over the ability to use effective encryption, which Blackwood recognises is “important in providing the secure services on the internet we all rely on“. The committee particularly wants the government to provide greater clarity over the status of end-to-end encrypted communications, where decryption might not be possible by a communications provider that had not added the original encryption.
Concerns amongst certain communications over ‘equipment interference’. For some providers, such as Mozilla (the makers of Firefox), this concern appears to stem from a genuine concern for its users’ privacy and the integrity of the internet. For other providers, the concern is more about how a perception of hacking could hurt their competitiveness in a global market for services.
Uncertainty over costs. Coverage of the committee’s report has downplayed the risk associated with spiralling implementation costs, both for government and businesses. At last cost, the Home Secretary has put the cost of implementing the new ICR system at £247 million but the report notes that costs are likely to change (i.e. rise), given the uncertainty and rapid pace of technological change.
It’s worth noting that the committee’s remit was purely to look at the technical feasibility of the government’s proposals and how these might affect communications businesses, not whether the communications monitoring provisions or whether they are proportionate to the threats they are intended to deal with. These issues are expected to be addressed by the joint committe Joint Committee established to scrutinise the draft Bill as a whole.
I believe the criticisms levelled at the bill in this report are significant for a couple of reasons.
Firstly, by focusing solely on the technical feasibility of implementing the bill, it manages to side-step the highly polarised debate between privacy and security advocates. This report says, irrespective of your views on the merits of expanded monitoring of communications, you should be concerned as a citizen and taxpayer about the feasibility of implementing the government’s plans at anything approaching a sensible level of expenditure.
Secondly, by holding up the prospect that the Investigatory Powers Bill will do real harm to the growing UK tech sector, the report will hopefully encourage the government to modify its approach, if only to protect its supposed reputation for business confidence.
Both these signals – questions over the feasability of implementation and the likely damage to the UK’s growing tech sector – will not in itself be enough to stop the Investigatory Powers Bill becoming law, but it’s a start.
The Joint Committee is due to deliver its full report on the Investigatory Powers Bill no later than 17 February. It will be interesting to see whether this committee takes a similarly critical stance on the merits of expanded monitoring provisions and the limited amount of time the committee was given to scrutinise the bill.
Since September, my role as product lead for Helpful Technology’s Digitial Action Plan has involved working closely with with senior civil servants to help them become more confident around digital engagement. I’d like to share with you what I have observed to be the main barriers to civil servants becoming authentic digital engagers and how we can overcome them.
Mastering the basics
At its heart, the Digital Action Plan is about giving people the confidence to use digital tools at work to listen, explain and talk with their audiences. Before people can can do that, however, they need to feel at ease with the basics of technology.
One of the great things about being from an external organisation is that civil servants, particularly those in senior roles, feel able to ask me for help where they might otherwise avoid doing so out of fear of looking foolish. For example, one person mentioned to me the common problem of struggling to remember passwords for different online services. Recognising this was likely to discourage them doing more with digital, I introduced them to the LastPass password manager, which will take the headache away from accessing digitial services.
While I am pleased to be able to help participants with any basic issues they have, I’d like to see organisations provide regular opportunities for staff to learn the basics in a non-judgemental environment. From my time as a Social Media Surgery volunteer, I know informal sessions can be a good way for people with skills to help others. Meetups could be held on a partcular theme, such as protecting your privacy and security online, or be of a more free form nature.
Making time for learning
I’ve found time, or more precisely the lack of it, to be a major barrier to civil servants becoming more effective at digital engagement. Not surprisingly, it can be a struggle to carve out time to learn new skills whilst managing a demanding workload.
For example, it’s pretty obvious writing and presenting a paper to the board is going to loom large in somebody’s to-do list and have the potential to put a limit on learning time. With the Digital Action Plan, I try to bridge the traditional divide between training and the day job by encouraging participants to connect their learning goals with real-life project and tasks. For instance, could a participant use Twitter to inform stakeholders about the forthcoming report, what its implications are and how they can get involved?
While most participants find they are able to connect their learning goals to forthcoming projects, I believe there is still more we can do. I would like to see closer working between line managers and participants so that there is clear agreement on how digital engagement learning will be built into participants’ workloads in a way that directly supports a team or department’s core objectives.
Valuing boldness
As a trainer, one of the most satisfying parts of the job is seeing people you’ve supported take offf and really run with something you’ve introduced them to. Conversely, it’s easy to feel disapppointed when people for whatever reason seem to fail to respond to your support or choose not to put what they’ve learned into practice.
In my experience, the people who get the most from the Digital Action Plan are those who are willing to be bold and seize the opportunities available to them. Earlier this month I was impressed when a participant published their first blog post on LinkedIn after previously expressing quite significant reservations over developing their own professional profile online.
The FSA’s Christina Hammond-Aziz’ recent blog post why faceless civil servant is never a good look, makes clear the significant progress the civil servicehas made on digital engagement but, as with any organisation or sector, there is always room for improvement.
This week, Janet Hughes from the Government Digital Service asked: what if boldness were an explicit value of the civil service? Janet describes boldness as bringing your whole to the situation and demonstrating the values of opennesss of optimism and a commitment to something bigger than yourself. In doing so Janet could just as easily have been describing the qualities of authentic digital engagement. Ultimately, if we want civil servants to be authentic digitial engagers, we must go further in supporting an organisatonal culture which values and rewards authetic engagement.
As a member of the civil liberties organisation Liberty, it was with sadness that I read earlier this week week that Shami Chakrabarti is stepping down as director after 12 years in the role.
Shami Chakrabarti’s list of achievements – from overurning compulsory ID cards to challenging internnment of foreign terrorist suspects and, most recently, providing strong challenge over the government’s plans to scrap the Human Rights Act and greatly expand online surveillance – are all the more remarkable when you realise she joined Liberty the day before September 11 attacks in 2001. While I may still find myself despairing at the British political establishment’s respect for citizens and civil society, I can see that without Chakrabrarti’s principled leadership things could be a lot worse.
Chakrabarti has written a thoughtful piece for The Guardian to coincide with the announcment of her depature from Liberty. In it, she notes: “When fear stalks the land, blank cheques become all too easy and ever more dangerous.” This defintiely rings true of my recent experience campaigning against the Investigatory Powers Bill as part of the Open Rights Group. For me, the lowest point of the campaign (so far – it’s not over yet!) was when David Cameron sought to use the Paris Attacks to justify an attack on encryption, despite the fact that the terrorists had in fact coordinated the attacks using regular unencrypted text messages.
I was also struck by another of Chakrabarti’s observations: “We all love our own rights and those of friends, family and people like us. Other people’s freedoms seem cheaper until it’s almost too late.” Again, I have encountered this in my campaigning for the Open Rights Group. The common response of “nothing to hide, nothing to fear” when privacy concerns are raised in relation to the Investigatory Powers Bill reflects many people’s belief that they (and by extension, their friends and family) will never be adversely affected by expanded online and so we need not worry ourselves about the balance of power between citizen and state.
While I will be sad to see her go I can understand her reasons for stepping down, given the pressure and responsibility she must have felt over the past 12 years. I would like to thank Shami Chakrabarti for everything she has done to defend civil liberties and human rights.
I’ve missed the boat. As I sit down to write this post, the fourth day of 2016 is already drawing to a close.
If I were a better blogger/person, I would have already have written my 2015 round-up and published it in the sweet spot between Christmas and New Year when there’s a flurry of such posts.
Instead, I was caught up in a flurry of holiday hosting and socialising which has only just come to an end. As John Lennon might have said, life is what happens when you’re not busy making other plans.
While I was experiencing 2015, it often felt like the lows were getting the better of the highs but looking back I can see there were a few ‘champagne moments’ along the way. So, without further ado, here’s a brief round-up of the key events from possibly the most eventful year in my life.
The Highs
Going freelance as a digital communications specialist and working with the lovely team at Helpful Technology to deliver their digital confidence and skills programme across Whitehall.
Launching Open Rights Group Birmingham and working with passionate and principled people to protect and promote human rights in the digital age and oppose the Government’s controversial Investigatory Powers Bill.
Getting some much-needed good news towards the ends of the year about health issues which have affected my family throughout 2015.
The Lows
Being made redundant from my role as Communications Manager for ARK Kings Academy in Birmingham, due to a funding shortfall.
Worries over family health issues, which thankfully improved as 2015 drew to a close.
The stomach-churning feeling so many of us got at 10.01 pm on 7 May, when the exit polls announced the Conservatives would get the seats they needed to form a government and I would have to retire my Hell Yeah, I’m Voting Labour T-shirt.
Watching David Cameron use the fear, uncertainty and anger generated by the awful Paris attacks to secure parliamentary approval for bombing Syria and stooping to a new personal low by labelling opponents of bombing ‘terrorist sympathisers‘.
Since joining Helpful, my work has been focused on how best to give people the confidence and skills to use digital at work. This has involved delivering face-to-face training, producing engaging online resources and offering ongoing support to participants.
Here’s what I’ve learned so far about how to approach improving people’s confidence and skills with digital. While I am talking about digital, hopefully these lessons will also be helpful for anyone trying to bring change in other areas.
1. Never make assumptions about a person’s existing skills and confidence
It’s easy to assume a participant will have broadly similar digital skills and confidence as his or her peers. However, now that I have worked with several cohorts from across different organisations and levels of seniority, I have come to realise this is not the case.
For example, I discovered that one participant had started his career as a programmer at IBM before joining the civil service and had actively made the case for embracing digital. This person’s requirements from the Digital Action were very different from someone who had little experience or confidence in using digital at work.
2. Take a holistic approach to people’s learning
Although the Digital Action Plan is focused on giving people the skills and confidence to use digital at work, I’ve found people are more motivated to complete the training when we can link it to their needs and preferences beyond the workplace.
For example, after doing some initial research I discovered that one of our participants, Jonathan Aldridge, is a published author and has blogged about his experiences as a writer. By knowing this, we were able to tailor his learning goals so that he was able to both apply his existing skills to in-work projects and develop new skills that would benefit both his employer and his creative pursuits.
While not every participant will be a published author, by taking the time to talk to participants and regularly reviewing their learning goals with them , it is nearly always possible to link digital to both work and more personal objectives.
Another participant, for example, thought she didn’t really do much with digital but after talking to her, it turns out she has blogged about shoes in her. Knowing this, we were able to encourage her to use this outside interest to create a ‘safe space’ where she could experiment with new digital channels such as Pinterest, before applying them to a work project.
3. Connect training with real-life projects
While it can be very helpful to get participants to think about how they use digital outside of work, ultimately we want people to be using digital in their everyday job roles.
For every goal, participants are asked to apply what they are learning to a project or area of their work. For example, when learning how to use the Hootsuite dashboard to conduct a social listening exercise, policy officers are asked to ‘listen in’ on what people are saying about their policy officer.
Going forward, I am exploring ways of strengthening the connections between a participant’s learning plan and their work priorities.
Earlier this week, for example, Guy Poppy, Chief Scientific Advisor to the Food Standards Agency, explained to me his ambitions to develop a collaborative open data project to improve food safety.
We are now working together to ensure Guy’s learning plan reflects this ambition, for example relating a goal on developing blogging skills to the task of persuading stakeholders to support the open data project.
4. Always be nice (but not too nice)
Finding time for learning and development can be really difficult, particularly when many of the organisations we work with at Helpful are under pressure to ‘do more with less’. This means it’s important to strike the right balance between being supportive and firm when encouraging participants to complete their Digital Actions Plans.
I have found that putting time in early on to build relationships with participants and course patrons makes it easier to get people through the course. By doing so I have been able to identify and take action to overcome potential barriers to learning, whether that be a participant’s workload, a lack of confidence or how useful a participant perceives their learning goals to be.
Putting in this initial effort means I am able to be firm where required. For example, having worked with a participant to tailor their learning goals or extend a deadline, I am in a strong position to hold them to account, should they not be making sufficient progress.
In my last post, I argued that if campaigners (including myself) are going to take on the Government over its plans for online surveillance and win, we need to dismantle the claims they are making about these powers being necessary for security and crime fighting.
Since then, I’ve done some further online research and had some interesting conversations on Twitter and at last night’s well-attended Open Rights Group Birmingham meetup. This has helped me to develop my thinking on how to frame the argument in a way that convinces politicians and the general public to sit-up and take notice of what’s at stake with the Investigatory Powers Bill.
Winning the argument over the Investigatory Powers Bill – key lines
Security risks created by the Investigatory Powers Bill
The new requirement for tech firms to provide unencrypted communications to the police or security services if requested through a warrant has been widely interpreted as an attempt to weaken encryption.
As Tim Cook explains, “Any backdoor is a backdoor for everyone. Everybody wants to crack down on terrorists. Everybody wants to be secure. The question is how. Opening a backdoor can have very dire consequences.”
In addition to the weakening of encryption, the bill will create more opportunities for cybercrime. Requiring ISPs to store everyone’s Internet connection records for 12 months will create huge amounts of personal data, which will be highly attractive to criminals. How much more personal data could criminals could have stolen from TalkTalk, had the new collection system been in place? Timothy Brown, Executive Director of Security with Dell Software Group noted: “this only creates larger and more attractive targets for hackers and leaks.“
The bill proposes granting the security services broad powers to hack computer systems. Doing so will leave critical infrastructure at risk, as the same vulnerabilities used by security services will be exploited by criminals. As Tim Cook noted: “Any backdoor is a backdoor for everyone.”
Questionable security gains from expansion of surveillance powers
The bill gives authorities permissions to collect bulk data straight from the public internet cables. From this data, the metadata – the who, what, where and how long rather than the full contents of a communication – will be analysed. Amnesty International, Liberty and the European Court consider this to be mass surveillance.
Internet service providers (ISP) have called into question the cost of implementing a key element of the Investigatory Powers Bill, the mandatory collection and retention of every citizen’s Internet Connection Records.
The Home Office has budgeted for £175 million but this is only intended to cover the initial up-front equipments costs, not the ongoing cost of running the system.
Asked about the feasibility of implementing a system of mass data collection, James Blessing, the chair of the Internet Service Providers’ Association (ISPA), said ISPs would find it “very feasible – with an infinite budget”.
Human rights and international reputation
Joseph Cannataci, the UN’s special rapporteur on privacy, said the draft Investigatory Powers Bill heralded a “golden age of surveillance” unlike any that had come before. He also said, “The snoopers’ charter in the UK is just a bit worse than scary, isn’t it,”
The Government’s approach, which enshrines and expands mass data retention, appears to run contrary to the European Court’s judgement and so would be subject to challenge.
Committee on Legal Affairs and Human Rights of the Parliamentary Assembly of the Council of Europe (PACE), Mass Surveillance Report, 26 January 2015 (accessed 12 November 2015)
Last Wednesday I arranged for Jim Killock, Executive Director of the Open Rights Group, to give a talk to Open Rights Group Birmingham about the threat mass surveillance poses to our human rights and democratic society.
I was spurred on to organise the talk because of the UK government’s plans to introduce new surveillance legislation this autumn, known as the Investigatory Powers Bill, which will (amongst other things) give the government legal power to collect, analyse and retain in a gigantic database for 12 months everyone’s electronic communications interactions (phone, email, web history, text and WhatsApp messages, etc) regardless of whether you are suspected of committing a crime.
The surveillance debate – even boring by C-SPAN standards?
Bulk data collection or bulk waste collection. Remind me what’s the difference again? Photo by colleen_elizabeth
Cleverly, the government has managed to couch the surveillance debate in language that is, to quote Jon Oliver, “even boring by C-Spann standards”. Talk of bulk data collection is more likely to evoke a service your local council might offer to help you get rid of an old mattress than a scene from The Lives of Others. And even if you can get your head around the opaque language being used, most of the attention in the debate focuses on the (rightly) emotive issues of terrorism and serious crime, leaving little time to consider the effect mass surveillance has on innocent citizens and the health of our democratic society.
In the interests of balancing out the surveillance debate , I’d like to borrow liberally from Jim’s talk to share with you 3 reasons why you should be worried about the government’s plans, especially if you think the Investigatory Powers Bill won’t affect you.
1. Mass surveillance undermines democratic accountability
Aerial photograph of the Government Communications Headquarters (GCHQ) in Cheltenham, Gloucestershire. Are MPs in a position to hold GCHQ to account if they didn’t even know their communications were being eavesdropped? Photographer: GCHQ/Crown Copyright
Last week, the Investigatory Powers Tribunal announced these assurances had been:
“a political statement in a political context, encompassing the ambiguity that is sometimes to be found in political statements”
Furthermore, even if the statements of protection had been given in good faith, it is not technically possible to offer these assurances in an era of bulk data collection of the entire population’s electronic communications.
The tribunal’s ruling has, predictably, led to much soul searching by politicians of all stripes, with Labour’s Chris Bryant even managing to secure an emergency debate on the issue on Monday.
For me, the confusion caused by the ruling reveals the extent to which the surveillance agenda has managed to circumvent conventional democratic accountability.
Essentially, all of us, including the vast majority of elected politicians, are told to trust the authorities who tell us mass surveillance is necessary to protect national security and not to ask too many questions.
In this culture of secrecy, asking questions is deemed to be undermining the effectiveness of the authorities’ work and giving tacit cover or support for terrorists. Consequently, it becomes impossible to have an open, democratic debate about how we best go about balancing the security needs of our country with respect for our human rights.
We should be extremely wary of allowing the Investigatory Powers Bill to pass without having an open and democratic debate about the kind of country we want to live in and where the balance lies between the powers of the state and the rights of individual citizens.
2. The Investigatory Powers Bill will undermine the free press and civil society
3 police officers guarding Downing Street. Should the police have used surveillance legislation intended for anti-terrorism work to investigate the Plebgate scandal? Photo: Egghead06
While you may feel you don’t have much to worry about in terms of the authorities accessing your records, there are and will always be people who do need privacy protection.
Journalists need privacy protection. Imagine, for example, you are a journalist and you have received a tip off about Police wrongdoing. Would you be brave enough to investigate the allegation if you thought your communications could be accessed by the very same organisation?
Whatever you think of The Sun and Rupert Murdoch’s News International operations, I hope you’ll agree that it’s not right that the UK’s surveillance legislation can be used to hamper the media. If that is what is possible under today’s legislation, we should think carefully before expanding the amount of data authorities can gather on all of us.
Even if you think that journalists by virtue of the job they do are fair game for the authorities, their sources still need to be protected. The Investigatory Powers Bill, by expanding data collection and giving the police and other authorities more rights of access, will make normal, everyday people more reluctant to come forward and report wrongdoing.
3. Mass surveillance is a golden opportunity for criminals
Will increased personal data collection and weakened encryption create more opportunities for criminals? Photo: Perspecsys Photos
Even if you are personally comfortable with the idea of the government passing more surveillance legislation without proper democratic debate and don’t care all that much about the rights of journalists and whistleblowers, chances are you wouldn’t be too keen about criminals getting hold of your personal information.
As well as increasing the total amount of personal information for criminals to target, government efforts to weaken encryption will make it easier for criminals to break into that data. While the government may wish to believe it can demand a special key or ‘backdoor’ to unlock encrypted that only it can use, the reality is criminals will discover this vulnerability and, in so doing, undermine the encryption that not only protects our privacy but is essential for online banking and secure e-commerce payments.
Remember the Zune? Chances are you don’t. The Zune was Microsoft’s answer to the iPod. But unlike Apple’s iconic music player, the recent announcement by Microsoft that it is to close down its Zune music service this service is unlikely to result in a mass outpouring of nostalgic ‘I remember downloading my first song from the Zune store’ newspaper stories.
On the face of it, the Zune’s demise is just the latest in a long line of gadgets which never quite managed to capture the public’s imagination. However, thanks to the wonders of digital rights management (DRM) and copyright over-reach, the Zune’s demise carries with it a nasty sting in the tail which each of us should care about, whether or not we ever even came across a Zune in the real world.
From 15 November, it is not just the Zune Music Service that will close, Microsoft will also be closing down the computers which are required to authenticate any music customers purchased containing DRM. As a result of this move, DRM technology, which was always justified as a way of thwarting bad people who did not pay for music, will have the perverse effect of prevent paying customers from enjoying the music they purchased. Reassuringly, music files without DRM, irrespective of how a person obtained them, will continue to play just fine.
It doesn’t have to be this way, of course. Zune music customers can easily convert their music files into a DRM free format using software freely available on the web. But customers won’t be offered this about this option, and not simply because (relatively) few people ever got on board with Zune.
No, the reason why Zune customers will find themselves locked out of their own music collection stems from copyright law, specifically a controversial provision of the United States’ Digital Copyright Millennium Act or DCMA for short. The legislation contains what is known as an ‘anti-circumvention’ provision, which makes it a crime for anyone to attempt to circumvent ‘digital locks’ built into software, such as the DRM found in digital media. While individual Zune customers (they must exist, surely!) are unlikely to ever be prosecuted for converting their music, the existence of the legislation generates a chilling effect such that a corporation such as Microsoft would be extremely unlikely to give customers the option of converting their music to a DRM free format.
If after reading this post you’re thinking, what’s the big deal? It’s worth noting that DRM and the restrictions it imposes on customers is not limited to Zune music files. DRM is found in all areas of our life and is increasingly making the leap from the virtual to the physical world.
While I am personally vexed that the Kindle ebooks I purchase from Amazon which cannot by read on rivals to the Kindle ereader, I am reliably informed that there are more important things to worry about in life.
Today’s revelations that VW was able to use in-built software to get around environmental regulations in the United States may see unrelated to the Zune story but in both cases, DRM plays a crucial role.The anti-circumvention provision applies to the software contained in VW vehicles in the same way it does the DRM contained in the Zune music files. In the VW case, it appears the law prevented researchers from accessing the software, thus reducing their ability to spot the problem with emissions testing. And if it took five years to spot a problem with emissions, there is the very real possibility that access barriers imposed by the DCMA may be preventing safety problems from coming to light.
Whatever your views on the necessity of DRM to protect software and media, I hope this post has illustrated the problems it can cause legitimate customers and wider society.
I am writing this post at the end of an eventful week in my life.
On Tuesday, the first day of autumn, I got up early and caught a train to London to start a new job working as a Product Lead for Helpful Technology, a company which specialises in digital communications and engagement. The company was set up by former civil servant Steph Gray, who I first met back in 2010-11, when I was working for FutureGov. As well as helping Whitehall departments become more confident with digital, Helpful Technology also works with charity and not-for-profit organisations.
Like anyone starting a new job, I was filled with a mixture of nerves and excitement. To make matters worse, I couldn’t get The Futureheads’ First Day out of my head.
Fortunately, I somehow managed to shake-off The Futureheads by the time I arrived at Helpful’s offices in Clerkenwell to meet my new manager. And even if I didn’t quite manage to project an image of calm, easygoing intelligence I think I did okay. I’m pleased to report everyone at Helpful has been very friendly and, yes, helpful. As the week has moved on I have found myself becoming more relaxed and settling into life at Helpful.
At the moment I am working for Helpful as a contractor for three days a week, combining a day commuting to London with working from home on the other two days. As someone who first started his career in local government, I still find it a bit strange to be working in such a flexible way. For now, though, I am going with the flow and trying to enjoy the benefits that come with the flexibility, such as being able to organise last night’s great Open Rights Group Birmingham meetup.
It’s been a great first week and I feel I am learning a lot from working alongside the team at Helpful, which I will aim to share in future posts. But for now, I am heading off to relax and recover. Enjoy your weekend.
Francis Clarke 
