On whose side are Open Rights with their campaign to "protect" the EU Data Protection Regulation?

I have long had strong views on the need for effective Data Protection but I have just received a e-mail via ISOC UK soliciting my support for tomorrow’s “Press Stunt” by the Open Rights Group to “protect” the proposed EU Data Protection Regulation. I have sat in on meetings which helped produce some of the amendments that the Open Rights group are condemning as lobby fodder  and read their guide to the issues . Either the Open Rights Group has missed the plot or it represents a different set of interest groups to that which I thought it did..

The high level objectives of the EU Regulation are admirable but the focus on meaningless tick box rituals, like data breach notification, means that it is, in practice, unfit for purpose, unless the purpose is to drive on-line operations off-shore (to the United States or India) or to facilitate the quiet harvesting of data to commit systemic fraud. It will do little or nothing to protect privacy. It will, however, help protect those who abuse our privacy by giving them the excuse of “compliance” with the rituals.

The focus should be on “encouraging” those who want you to use their products and services to help protect us when the data needed to impersonate you is available over the Internet, whether legally or illegally. Current “data breach” notification routines serve to deter organisations from taking action to protect customers known to be at risk when the channels via which their data came into criminal hands are unknown or legal (e.g. Companies House and other “public record” sources contain almost all that is needed to impersonate anyone who has served as a director of a company). Meanwhile routines cited as “good practice” are known to facilitate fraud: we cannot dismiss  the US “evidence” that breach notifications are followed by attacks on the recipients, even though we may have doubts over its meaning.  Publicity for breaches is indeed commonly followed by a surge of false “notifications” to harvest rather more than leaked. 

The proposed EU Regulation will almost certainly make that situation worse. The need is instead to clarify the liabilities of those who do not take effective action to protect customers whose details are “available” over the Internet. I say “clarify” because, for common law countries, the liabilities may already be clear but unpublicised, (in the UK it is a mix of tort, contract, bills of exchange and fair trade) – and we can see large organisations beginning to take action accordingly. Indeed the recent “spat” between Spamhaus and Stophaus appears to have originated with an exercise to do so.

I spent yesterday at Infosec getting sore feet visiting the stands of the security snake-oil salesmen. Many were selling products and services to help clients meet data protection “compliance” requirements which did little, or nothing, to help them protect customers from fraud or abuse. Several had products which could also be used to help identify those attacking their clients and/or reselling “stolen” data – but this was not at all obvious from the material on their stands. Only one had publicity material promoting a product  (Garlik Data Patrol) designed for that purpose. Yet to my mind the use of such products should be the first duty of any organisation that suspects it has had a data breach. Indeed I would argue they should be used, in parallel, by all who use services like Trusteer.  Given that most breaches are identified weeks or even months after they occurred, the requirements in the EU Data Porection regulation are, by comparison, either meaningless or worse than useless.

So what planet is the Open Rights Group on?

Perhaps more interestingly, who side is it on?

I used to think is was on “my” side: thinking of “me” as an individual  who is as suspicious of

  • Governments, who demand data retention in order to “protect” me,
  • Regulators, who demand data retention for “consumer protection and
  • Anyone who extols the virtues of “Big Data” as an aid to democratic decision making

as I am of the mass market ISPs, On-Line Retailers, Search Engines and Social Networks who track my on-line activities in order to improve service (alias sell) to me.

I now have my doubts about the Open Rights Group. I fear those doubts may be reinforced tomorrow when we see who it attacks, why and how. “By their enemies shall ye know them

I also have my doubts about ISOC. I joined in 1995 in the fond belief that sooner or later it would become the Governance structure that the Internet so badly needed. It is now clear that it will not. It does much good work but appears unable to look at issues from the perspective of billions of users, most of whom no longer have english as their first language. I have a growing suspicion that the future of the Internet will come out of Africa (like mankind) and Asia (like printing) not California or the Cambridges (Fenland and New England). And Western Liberals may not like that future. if so, it will have been their fault. I remind readers that the one thing I am not is a Liberal. My politics are where left meets right, round the back, beside the bike sheds.

P.S. I have focussed on the counter-productive nature of the proposals for Data Breach notification but I could have made similar points regarding the proposals on privacy by design, impact assessments, consent, the right to be forgotten or data portability – when the small print will almost certainly deliver the opposite of what the regulation is supposedly eeking to achieve. 

If you think I am wrong please comment. In the past I have had a lot of time for the Open Rights Group  and I would love to believe that I have misunderstood their position.   

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Dear Mr. Virgo,

I have read your blog post with much interest and felt I needed to kindly set the record straight on a few of the points you have raised.

1. ISOC UK soliciting your support for Open Rights Group Press Stunt

The message I have sent to the ISOC England list was carefully crafted so as not to "solicit support" but just to flag the event as there is currently some significant debate around the issue. If at all, this has just alerted our membership over the issue.

The Internet Society has recently published a blog post about the European Commission and Parliament being currently in the process of reviewing and amending drafts of a new Data Protection Regulation.

I invite you to read it on:


Responding to some of your assertions:

2. "ISOC is not stepping up to its potential on Internet governance":

Regarding our policy work – ISOC is a major contributor to high-level discussions on Internet governance, digital content, privacy, and many other issues. ISOC promotes, influences, and shape discussions through participation in international fora such as IGF, WIPO, OECD, Council of Europe, the UN WSIS Forum, World Economic Forum and ITU, to name a few. ISOC Staff spoke on Identity Governance at the IGF in Baku last November, helped with the CoE's drafting of guidelines on cross-border data transfers, contributed to the OECD's policy guidelines on privacy, security and cryptography, and gave review comments on the WEF's most recent report on the monetization of personal data. There are several ISOC Staff members who are engaged in this kind of work; others deal specifically with the ITU, WIPO and so on… ISOC has a very active role in the global Internet governance community.

ISOC Chapters form part of the extensive local network that ISOC relies on to reach local communities.

3. "ISOC isn't engaging sufficiently with emerging regions":

ISOC is undertaking specific practical activities in all regions. For instance, in Africa ISOC are hosting their 4th annual AfPIF (Peering and Interconnection Forum) event this Sept. and they were selected by the African Union to conduct workshops to support the establishment of Internet Exchange Points (IXPs) as part of the African Internet Exchange System project. Peering and Internet Exchange Points are a fundamental (and empowering) change to the way communications infrastructure gets deployed in emerging economies.

Here's a link to the Chapter map , which is a really nice graphical representation of how widespread the Chapters are; LatAm, West Africa and Asia are all well covered, and we have had a dedicated Far East Bureau in Singapore since last year - http://www.internetsociety.org/find-chapter

There are some 17 Chapters in Asia and 25 in Africa; you will see from the table below that the Asian Bureau in fact has the highest membership, while Africa is very much on a par with Europe and North America in terms of numbers. The numbers are persuasive: Asia, 16,200; Europe, 10,800; North America, 10,100; Africa, 9,600. This is not an organisation driven from Silicon Valley or Silicon Fen.

This is just the tip of the Iceberg about all of the activities that ISOC is currently involved in. I hope my comment has been of help to bring you up to date with them.

Kind regards,

Dr. Olivier MJ Crepin-Leblond

ISOC UK England Chair

And a little addendum to my previous message, ISOC England has published a blog post today explaining ISOC's Global Engagement.

You can find it on:


Kind regards,

Olivier MJ Crepin-Leblond

ISOC UK England Chair