1. FOI helps reveal the new surveillance tools deployed by police

    Camilla Graham Wood is a Legal Officer at Privacy International, an organisation advocating and litigating for stronger protections of citizens’ privacy, dignity, and freedom.

    At AlaveteliCon, Camilla presented on PI’s ‘Neighbourhood Watched’ campaign against the deployment of new technologies by police forces in the UK, many of which are unknown to the general public — and unrestricted by current regulation.

    These include facial recognition, hacking, mobile phone extractions, and predictive policing: all examples of the police harnessing new technology with the aim of becoming more efficient — but where PI see great risks for the loss of liberties and for mistakes to be made. Freedom Of Information has been a crucial tool in their efforts to uncover the facts.

    An initial tip-off

    We asked Camilla how the organisation had first become aware of these technologies.

    “It’s hard to find out about technologies if the state doesn’t want you to know about them.”

    “We were contacted by investigative news co-operative Bristol Cable, who had looked into police accounting records and seen reference to Cellebrite, an international company well known for selling mobile phone extraction technology”.

    Mobile extraction allows the police to download all content and data from a phone. At AlaveteliCon, Camilla explained, “They fit a device, about the size of an iPad, to your phone and it will copy across everything on there. This was rolled out, without any announcement, around the London Olympics.

    “Obviously you might have concerns around police accessing the material that’s on your phone at that time, but there are also ongoing implications — for example if you don’t change your password afterwards, they then have access to all your various accounts on an ongoing basis — they can access your email, social media etc.

    “So we decided to take Bristol Cable’s investigation further, and that led to the use of FOI to uncover the extent that this technology was being used, particularly for low level crimes.

    “We anticipated this would show whether it was being used on a wide scale by frontline police officers. And it is”.

    Neither confirm nor deny

    “New surveillance technologies are radically transforming the ability of police and intelligence agencies to monitor our civic spaces.”

    That may sound like a simple result: put in some FOI requests, get the information back. In reality, though, it has not been quite so easy. “The state often does not want to say when they’re using specific technologies, so they will use the ‘neither confirm nor deny’ response. It’s hard to find out about technologies if the state doesn’t want you to know about them.

    “We sent FOI requests to all 43 police forces in the UK in January 2017 to find out which were using this technology in relation to low level crimes. We then sent follow-up requests later in the year. A large number of the forces responded that this second request was vexatious, largely because we had already asked questions about other forms of surveillance such as predictive policing, facial recognition and social media monitoring. They said that because we had already asked about what new technologies they were using, our FOI request on mobile phone extraction was vexatious.

    “This meant that we had to request individually to each force to conduct an internal review, then subsequently a review by the Information Commissioners Office. But we were, at least, successful in this challenge”.

    Camilla explains that although PI eventually received these responses, a number of them had had to restrict the amount of information provided due to time and cost limits. That in itself revealed something pretty telling — an inability to audit the use of mobile phone extraction. “It appears that the data is held on individual files, so they could not tell us how many victims, witnesses and suspects had been subject to this technique”.

    The work hasn’t all been adversarial though. At AlaveteliCon, Camilla explained how she had attended police conferences as a speaker. Though a little daunted, she found that she was warmly welcomed by officers who wanted to know more about how they could better answer FOI requests.

    Facial recognition, body cameras and predictive policing

    “PI is particularly concerned about technologies that police can, and sometimes do already use to monitor people who have not committed nor are suspected of any crime.”

    What are the other devices and methods in use that the public may not be fully aware of? Camilla highlights body cameras which can be switched on or off by the police officer wearing them, and the footage from which can be used in tandem with facial recognition.

    Then there are IMSI catchers, which imitate a mobile phone mast and are able to monitor your location and activity. Also of concern are predictive policing methods, which raise all kinds of issues around biases that are baked in to the system — Beryl Lipton from Muckrock in the US is also doing work around this, and we’ll be writing about that in a further post soon.

    Should we be worried?

    Reading about such technologies, one might dismiss any concerns — after all, police have a job to do, and it’s natural that they should be using the latest advances in tech to do so. Camilla spells out why we should apply a little more judgement:

    “FOI is one of many options we’ve used to discover information about what the government is doing, often in secret. It can be one of the few means to find out that information.”

    “New surveillance technologies are radically transforming the ability of police and intelligence agencies to monitor our civic spaces and collect, categorise, store, analyse, and share our personal data. These authorities are expanding the depth and breadth of their surveillance of our civic spaces (by that I mean real life spaces like public streets, parks and squares, as well as digital spheres including the internet, messaging apps, and social media platforms), often without sufficient legal basis or democratic input and oversight.

    “While new technologies may be deployed under the guise of protecting democratic society, without adequate regulations and safeguards those technologies can threaten democratic participation and dissent — and thereby undermine democracy itself.

    “PI is particularly concerned about technologies that police and intelligence agencies can, and sometimes do already use to monitor people who have not committed nor are suspected of any crime”.

    Freedom of Information is the key to transparency

    “People have a right to transparency around the technologies that are being used; they have a right to question whether there is any justification for the deployment of these tools”

    So, time to deploy our right to information, something that every UK citizen enjoys. How useful has FOI been to the campaign?

    “FOI is one of many options we’ve used to discover information about what the government is doing, often in secret.

    “It can be one of the few means to find out that information. As far as I am aware, there was nothing published on the use of mobile phone extraction by the police. The public were unaware the scale that this was being used.

    “As a result of our FOI activity, this has been brought into the open”.

    Taking it further

    But PI’s activity and the wider repercussions of the campaign don’t stop there. “Based on these findings, we published a report.

    “We’ve also written to the Investigatory Powers Commissioner stating that we believe the use of this technology may constitute hacking or interception.

    “We have complained to the Information Commissioner that the tech is in breach of the old and new data protection act — that complaint is still under investigation. We’ve also given evidence to the Law Commission in relation to their consultation on the use of search powers; an investigation was commenced by the Scottish Parliament into the use of this technology by Police Scotland; and we’ve trained lawyers to raise awareness about this technology.

    “Our work has even informed the debates around the use of this technology against rape survivors and we have raised concerns about the relevant issues to digital forensics”.

    You can get involved

    Now PI hope to get the general public mobilised in protesting these affronts to our privacy. “We hope to see people challenge their local police force on the use of these technologies. As we approach the local elections next year and in particular the election of Police and Crime Commissioners, we would encourage individuals to use the materials in our Neighbourhood Watched campaign and write to their local representatives to ask what new technologies are being used against local residents.

    “People have a right to transparency around the technologies that are being used; they have a right to question whether there is any justification for the deployment of these tools and to ask what safeguards and protections are in place to protect against misuse and abuse”.

    PI are now keen to replicate the Neighbourhood Watched campaign in other countries, to help create more transparency and accountability around these technologies.

    Finally we asked Camilla whether she had advice for those involved in sometimes difficult investigations such as this. She had just three words: “Persistence is key”.

    Image: Phil Hearing

     

  2. Taking Parliament to court: how Vouliwatch pursued the right to transparency

    Vouliwatch is a platform for Greece which strives to make democracy more accessible for all. If you’re familiar with mySociety’s projects, it might be easiest to see it as a mixture of TheyWorkForYou (it publishes MPs’ votes); WriteToThem (making it simple for citizens to contact their representatives), and a campaign for more transparency and better oversight in the country’s parliament, often using Freedom of Information toward these aims.

    This year, Vouliwatch found themselves in the extraordinary position of issuing a lawsuit to their own parliament. Their Managing Director Stefanos Loukopoulos explained how it all happened, in his presentation at AlaveteliCon.

    He left us with quite the cliffhanger — would the case go to court or not? — so we were keen to catch up and find out how it had all resolved. But to begin with, here’s what he told us back in October:

    “In Greece, there’s an independent committee known as the “Committee of Control”: it’s made up of judiciary, ombudsmen, and three MPs sit on it as well.

    “Its role is to audit and check asset declaration and the finances of MPs, as well as the financial activities of political parties.”

    As you’re probably aware, over the last eight years Greece has been in the grips of a massive financial crisis, losing more than 25% of its GDP. Stefanos says, “It’s a situation unknown anywhere else in history.

    “The two parties who were in power during the period that led up to the crisis owe, between them, over 350 million Euros to the banks, the majority of which is unserviceable.”

    So, that’s the background. And now to the nitty gritty of the case.

    “Every year the Committee of Control put out a report. For the last three years it has said exactly the same thing: ‘Some political parties’ have taken public funding which was supposed to be for research, and used it for operational purposes. However, the report doesn’t go into detail of which political party, or how much money.

    We were accused of trying to destabilise democracy. We think that actually, democracy is more harmed by hiding this information!

    “The Committee has the power to impose sanctions, and the law is quite clear on this point: if funds are not being used for what they should be, or are stated to be used for, then they need to be returned… but year after year, these powers weren’t used and nothing was done about it.

    “We believe people have the right to know what’s happened to this public money. We sent letters, but in return we were just accused of trying to destabilise democracy. We think that actually, democracy is more harmed by hiding this information!”

    “After two years, we finally submitted a formal FOI request. We didn’t expect an answer (and we didn’t get one) but at least we were covered by FOI law, so we knew exactly what information we should have been entitled to. After consulting with a law specialist we decided to take Parliament to the constitutional court. This is the first time anything like this has ever happened.”

    And so that was how Vouliwatch ended up issuing a lawsuit to their own parliament. The day Stefanos was telling this tale at AlaveteliCon, things had started to move. He said:

    “The legal team at Parliament have suggested just today that the information we asked for has actually been released, but I haven’t received it yet. I’ll keep you updated. I’d love to take them to court really, it would create a far bigger buzz and perhaps open more people’s eyes to what FOI is and how it can work to expose malpractice.”

    So, of course, when catching up with Stefanos a few weeks later, we were keen to know: was the information released, or did they get to go to court?

    “In brief, yes, the information was released, so there was no court appearance after all.”

    But the effort was still worthwhile on many fronts. The information was, Stefanos says, shocking:

    If it wasn’t for our FOI request and our appeal to the Constitutional Court, no-one would have ever heard about it.

    “The current ruling party Νέα Δημοκρατία (New Democracy) — which, by the way, owes give or take 142,100,000 Euros to the Greek banks (and it should not be forgotten that the banks have been practically recapitalised by the taxpayer on a number of occasions during the crisis) — has been using the state subsidy intended solely for educational and research purposes to repay its loans, for at least two consecutive years. This amounts to about a million Euros.

    “The Committee of Control had actually detected this malpractice, but did not impose any sanctions — and worse, actually tried to conceal the story. If it wasn’t for our FOI request and our appeal to the Constitutional Court, no-one would have ever heard about it.”

    There’s more detail on the whole tale on the Athens Live site. But getting the story out to the wider population has been a struggle, says Stefanos:

    “Unfortunately the media landscape in Greece is very problematic, to say the least. All the big mainstream media groups belong to a handful of oligarchs (shipping tycoons, mainly) who have historically had close ties to the traditional political parties, New Democracy and PASOK.

    “So, unsurprisingly perhaps, our story was covered only by independent media or left leaning newspapers and was totally ignored by all the big media groups.”

    Of course it’s daunting to take your own Parliament to court. But the prospect of facing a court case is also exciting at the same time.

    But there have been some visible results from Vouliwatch’s hard work.

    “The new president of the committee publicly pledged that they would be stricter during the next auditing process.

    “So that’s a positive outcome, but I must say that he didn’t mention anything about adding more details in the next report (which should be published by the end of the month so we are really looking forward to seeing what it will look like).

    “Meanwhile, we got in touch with the parliamentary groups of various parties (except for New Democracy of course) asking them to table a parliamentary question on the issue. The only one that took it up was Μερα25 (Mera25), which is the Greek branch if you like of the Democracy in Europe Movement Diem25, and is led by Yanis Varoufakis. The (oral) question was posed in Parliament during its plenary session and the shadow minister of the interior tried to justify New Democracy’s actions by using legally unfounded arguments.

    “We countered/deconstructed these in a reply and published it out — and Μερα25 is going to use it in their comeback question.”

    And as for Vouliwatch’s day in court? It’s not entirely off the table, though now to the Committee of Control rather than Parliament as a whole: “Currently we’re drafting a lawsuit against the committee for breach of duty and will submit it to the relevant attorney general.”

    This sort of work matters in Greece, and not only to uncover malpractice. Even if it’s hard to get mainstream media coverage, it all helps to highlight people’s right to information and how FOI can be used. But Stefanos says it’s not easy:

    Our case proves that FOI does have a strong role to play in the fight against corruption/lack of transparency

    “FOI in Greece is, unfortunately, virtually non existent. Despite the decent legal framework around it, citizens and journalists alike are unaware of their rights and how to exercise them — and the state (as well as public authorities/institutions in general) have failed to communicate it or make it easy for the public to use.

    “I think our case proves that FOI does have a strong role to play in the fight against corruption/lack of transparency in Greece; however, one may be easily dissuaded and disappointed because in most cases one needs to resort to litigation in order to get a response.

    “In other words, we took the case this far because it’s part of our work as an organisation. I doubt that a citizen or journalist would follow the same strenuous course as we did, bearing in mind the costs of litigation, the time required, the legal research etc, etc.”

    Is it daunting issuing a lawsuit to government?

    “Yes, of course. But the prospect of facing a court case is also exciting at the same time. If we were ordered to pay out a large amount in reparations it would be close to catastrophic for our organisation. However, our case was legally airtight and the chances of losing it minimal, which is why Parliament decided to back off and release the information in the end.”

    Bravo Vouliwatch — and we’ll be watching future happenings with great interest.

    Stefanos Loukopoulos is the managing director of Vouliwatch and spoke at AlaveteliCon in October 2019.

    Image: A.Savin (Wikimedia Commons)

  3. FragDenStaat: a lighthearted approach with a serious mission

    FragDenStaat (“Ask The State”) is Germany’s FOI site, running since 2011.

    Having always provided a platform for the general public to submit FOI requests, the organisation recently made the decision to focus more on the campaigning side of their activities. By using pre-filled FOI requests and encouraging their supporters to send them, FragDenStaat can harness the power of numbers.

    As Project Leader Arne Semsrott explains: “We are trying to show the possibilities of FOI, using it together as a group or movement with a shared goal, not just as separate individuals”.

    It’s an approach they used in a campaign to uncover the hygiene ratings of restaurants (which, unlike the UK, are not routinely published in Germany) — users were invited to file a pre-written request to the relevant authorities, and over 20,000 such requests were made, then the responses published. It’s hoped that doing so will bring about change — FragDenStaat say, “The platform will provide transparency until the authorities do it themselves”.

    More recently, a similar campaign sought to reveal the facts behind the herbicide glyphosate (aka Roundup). It began when FragDenStaat requested a study from the German Federal Institute that stated that the weedkiller “probably” isn’t linked to cancer.

    “We were told not to publish it”, said Arne. “So we published it”.

    This mischievous approach is one of FragDenStaat’s defining qualities, but there’s always a serious point behind it. In this case: “We were told that we weren’t allowed to publish this report, but through FOI, we – and therefore anyone – is allowed to have it. It’s ridiculous.”

    This is also an issue which we sometimes come across at WhatDoTheyKnow, where responses come complete with a generic footer prohibiting the publication of the information. Like FragDenStaat we think there’s a good argument against this. Freedom of Information law in the UK as well as in Germany is “applicant blind”, so anyone can request the same document and get a copy of it. That being so, it is more efficient to publish it online, and it saves taxpayers’ money since the authorities aren’t having to respond to multiple requests for the same information.

    The German Federal Institute thought differently, however, and FragDenStaat were taken to court for copyright violation.

    Officially, the report couldn’t be shared: what now? Arne continues the story: “So we built a one-click mechanism where anyone could make the same FOI request. Within two weeks, 45,000 people had requested it. The Institute had never had so many emails and didn’t know how to cope.

    “We know this because we then requested the internal communications around how they were handling it. They developed an online solution with a log-in code to prevent people spreading the report further. We then developed some code to automatically log you in and download it.

    “The legal proceedings are still pending but we would like to see a judgment by the Court of Justice on copyright vs FOI.

    “If we lose the case it might mean that copyright gets used as a reason for denial in lots more requests. And if this happens, we need to make so much of a fuss that it becomes an unattractive proposition to do so. What we have achieved so far, though, is that we are pretty certain that most public authorities don’t want to confront us that way anymore.”

    Since turning into more of a campaigning organisation, FragDenStaat are involved in more than 45 lawsuits. That might seem daunting to some small organisations, but Arne thinks differently:

    “Over time we have learnt that one of the biggest tools we have to change the practice of FOI is strategic litigation. We have won most of our cases and are always keen to tackle legal questions that have not been addressed in German courts before. We have the feeling that the FragDenStaat community likes our approach and there are enough people who are willing to donate for our legal costs”.

    FragDenStaat consistently bring an inventive angle to their campaigns, which sometimes borders on cheekiness. Asked about this, Arne replies: “To most people, files and documents appear to be the most boring thing on earth (which of course they aren’t!), so we feel that we need a bit of fun to attract people to the topic. And actually it’s way more fun for us that way.

    “I do believe that our actions have forced authorities to take us seriously. There are of course people who are not fans of our work, but there are quite a few FragDenStaat supporters among authorities – even if they don’t show that publicly”.

    Another campaign focuses on migration politics across Europe, and specifically Frontex, the border force. FragDenStaat have been working in collaboration with Luisa Izuzquiza at AccessInfo to file requests and build up a picture of human rights violations towards migrants: “You can file FOI requests for Frontex documents anywhere in Europe, so we’re asking in different countries for ‘serious incident’ reports: these will tell you of human rights violations”.

    This campaign, too, has involved FragDenStaat filing a lawsuit, this time in the European Court of Justice in Luxembourg. The hope is that it will clarify the degree to which Frontex is open to public scrutiny. Again, the costs of litigation are borne by supporters who are encouraged to chip in with a small donation of a few Euros, ideally on an ongoing monthly basis.

    Arne says, “EU migration politics is a topic that I have worked on for a long time now. I think that it’s heavily underreported, especially since Frontex has gained a lot of power and budget increase over the last few years. By talking to activists in the field, we learned what kind of documents might be produced by the agency on a regular basis and we began systematically requesting them”.

    Shockingly, the reports released show that Frontex are well aware of such abuse but close their eyes to it.

    “A report about Libyan refugee camp said it had ‘concentration camp-like conditions’ – and you can be sure that if a German person says that, it is serious. It proves they are aware of the conditions, even though they are doing nothing about them”.

    There have been results to this campaign: the European Commission has now issued a statement saying that they would investigate the claims.

    Arne Semsrott spoke at AlaveteliCon, mySociety’s conference on FOI and technology, in September 2019.

    Arne is one of the folk behind FragDenStaat, which is the German equivalent of our own WhatDoTheyKnow. Unlike many of the FOI sites around the world, FragDenStaat is not run on the Alaveteli platform, but on bespoke software that was inspired by WhatDoTheyKnow in the days before our codebase was made easier to install.

    Incidentally, if you are running a campaign, you can also use pre-written requests in tandem with Alaveteli sites, including WhatDoTheyKnow. Instructions are here.

    Image: Jen Bramley

  4. AlaveteliCon 2019: technology, investigations and collaboration

    We’ve just come back from a heady couple of days in Oslo, where our AlaveteliCon event brought together those with a shared interest in the technology around Freedom of Information — in all, around 50 journalists, researchers, technologists and activists from 18 different countries.

    As our Head of Development Louise announced in her opening words, AlaveteliCon has always been a slight misnomer, given that we’re keen to share knowledge not just with those who use Alaveteli, but with all the FOI platforms in our small but growing community — including MuckRock in the US and Frag Den Staat in Germany, both of whom were in attendance.

    It was a timely event for us, as we embark on work to introduce our Alaveteli Pro functionality to newsrooms, researchers and campaigners across Europe, with an emphasis on encouraging cross-border collaboration in campaigns, research and journalistic investigations.

    As well as picking up practical tips, we heard a variety of inspiring and instructive stories from FOI practitioners around the world; brainstormed ways forward in increasingly difficult political times; and shared knowledge on funding, publicity, site maintenance, and how to keep good relations with FOI officers.

    Some of the most inspiring sessions came when delegates shared how they had used FOI in campaigns and investigations, from Vouliwatch’s Stefanos Loukopoulos explaining how they had taken their own government to court, to Beryl Lipton of MuckRock explaining why the government use of algorithms can have effects that are unforeseen, and indeed petrifying.

    There was an affecting story from freelance journalist Mago Torres, who told us about a long campaign to map clandestine graves of those caught up in the war against drugs in Mexico; and from Camilla Graham Wood of Privacy International, on that organisation’s work to uncover some of the rather sinister but not widely known technologies being put into use by police services in the UK.

    So much knowledge came out of these two days. We don’t want to lose it, so we’ll be making sure to update the conference page with photos, videos and the speakers’ slides as soon as they’re available. Meanwhile, you can follow the links from the agenda on that page to find the collaborative documents where we took notes for each session.

    Thanks to the Adessium Foundation and the NUUG Foundation for making AlaveteliCon 2019 possible. We hope it won’t be another four years before we all get the chance to come together again.