ORG parliamentary and policy update/2014-w06

This is ORG's Parliamentary Update for the week beginning 03/02/2014

If you are reading this online, you can also subscribe to the email version.

Official Meetings

Javier Ruiz attended a workshop by the Royal Society titled "Cybersecurity Research Ethics and Responsible Disclosure", part of their project "Cybersecurity research: a vision for the UK".

NSA and GCHQ updates

See our full list of the Guardian and Snowden’s revelations.

GCHQ deployed DoS attack against 'hacktivists'

New documents show that an anti-terrorist unit at GCHQ (Joint Threat Research Intelligence Group), used a Denial-of-service attack (DoS) against the 'hacktivist' groups Anonymous and LulzSec.

The unit reportedly directed these attacks to chat rooms frequented by hackers. They also acted as regular users of the chat rooms to identify individual hackers who had stolen user information from websites. This operation led to the arrest of a man who had stolen account information from PayPal and used it to make personal purchases.

An official from the secret unit said in a separate document that the unit's mission included launching covert technical operations; jamming phones, computers and email accounts; impersonating 'enemies' in false flag operations and computer network attacks and disruptions.

Further documents stated that messages were directed to those suspected of involvement in DDoS attacks, in an attempt to dissuade them. They sent messages through Facebook, Twitter, Skype and email. According to the documents, 80% of those messaged were not in the chat rooms one month later.

It should be noted that DoS attacks are explicitly prohibited in the UK under the Computer Misuse Act 1990 (as amended by the Police and Justice Act 2006 section 36)

GCHQ used hackers tactics to attack adversaries

Documents created for a cyber spy conference in 2010-2012, reveal that a secret unit in the GCHQ, the Joint Threat Research and Intelligence Group (JTRIG) (as mentioned above), used 'dirty tactics' or otherwise tactics that would be used by hackers to target adversaries.

The documents said JTRIG's purpose was to "destroy, deny, degrade [and] disrupt” enemies by “discrediting them".

They explain that their "Effects" campaigns are divided into cyber attacks and propaganda operations. Cyber attacks include 'false flag' operations; online actions made to look like they were carried out by a British adversary. Propaganda operations include the use of social media platforms such as Facebook, Flickr, Twitter, YouTube and blogs to push news and other stories.

GCHQ did not deny nor confirm any of the above, they instead released the following statement:

“All of GCHQ's work is carried out in accordance with a strict legal and policy framework,” said the statement, “which ensure[s] that our activities are authorized, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Parliamentary Intelligence and Security Committee. All of our operational processes rigorously support this position.”

NSA tapped German chancellor's phone from 2002

An NSA document originally revealing the surveillance of the current German chancellor's phone, has recently been reinterpreted and confirmed by insiders in the American security agency, as being a programme to spy on the German chancellor, regardless of who holds the position.

German media, Süddeutsche Zeitung and NDR, report that former chancellor, Gerhard Schröder, who held the position from 1998-2005, had his phone spied starting around 2002. They suspect he was placed under surveillance because of his opposition to the Iraq invasion.

Consultations and departments

A full list of open consultations and Parliamentary events can be found on our Events

Business secretary hosts meeting between ministers, senior officials and regulators to discuss cyber security

Vince Cable, Secretary for the Department for Business, Innovation and Skills, hosted a summit, gathering ministers, officials from the security and intelligence agencies and regulators from the financial, water, energy, communications and transport sectors. They discussed ways to strengthen cyber security and responses to cyber threats.

They agreed on three steps:

• Use tests to examine the resilience and procedures against cyber threats

• Adopt security standards and practices similar to The 10 Steps to Cyber Security

• Create platforms to share information on new initiatives (similar to Cyber Security Information Sharing Partnership)

The Department has published a communique, detailing the proceedings.

Police to have access to NHS online database, regardless of opt-out

David Davis MP, has confirmed that law enforcement authorities will have access to patient records, due to be updated to a central database (also known as care.data). Currently police interested in collecting a suspect's medical records, must request them directly from the person's GP.

However, Mr Davis said they will have access to the central database through a 'backdoor', without requiring a warrant. They will also be able to access the records whether or not a patient has decided to opt-out of having their records transferred from their GP. There is currently no further information on how this will be permitted.

Think-tanks and businesses will have the opportunity to apply and if successful will have to pay a fee before obtaining a set of data.Last year, insurance firm Bupa, was confirmed to be successful in their application. Advocates argue the programme will benefit research and medical practises while protecting patients identity, as any information will be pseudonymised. However, privacy experts are warning that even when pseudonymised, it is easy to identify individuals by the information not concealed. Further the Information Commissioner's Office has warned there has not been sufficient information available to patients about the database.

Government Bills

Anti-Social Behaviour, Crime and Policing Bill in ping-pong stage between two Houses

The Anti-social Behaviour, Crime and Policing Bill is going back and forth between the two Houses of Parliament, as they debate the proposed amendments.

The bill is set to make changes to the Terrorism Act 2000. One of the relevant amendments is to make changes to Schedule 7 of the Act, which outlines rules for stopping and searching at ports and airports. According to the new bill, added paragraph (11) in Schedule 7, will allow border police to seize and make copies of any items on a suspected passenger who has been detained, including laptops and other electronic equipment. Despite concerns expressed by the Joint Committee on Human Rights regarding the broad range of powers and minimum threshold for detention, this section has not been debated or reformed by either house.

You can view the bill as it was delivered from the House of Commons online (page 172 from line 30).

Debates and questions

Question on number of 'online attacks' and identity theft experienced by HM Revenue and Customs

In an answer addressed to the security of the HM Revenue and Customs against online threats and identity theft, Lord Deighton answered that the systems had never been breached.

In the case of identity theft, he said they work with customers to deal with the problem and close websites, within seven and a half hours, if they have been identified as posing a threat to customers.

Question on the legality of abusive pornographic content

A question was asked on when the Secretary of State for Justice was going to implement a ban on pornography depicting rape.

Damian Green MP answered, that new legislation would be introduced to make such material illegal, and criminalise the possession of such material. He said this would be part of an attempt to make the internet safer for children and protect women from violence.

No further comments were made on how they would proceed with detecting such content.

International Developments

Turkish Parliament passes bill tightening government control on internet

The Turkish Parliament has passed a bill that will tighten their control over the internet. The bill will allow their telecommunications authority to block websites, without a court order. It also requires ISPs to store all customer information for two years.

The country's Industry and Business Association and the Internet Technology Association both criticised the bill as overriding existing checks and balances and not being clear on any of the procedures.

These changes come after social media platforms, blogs and video websites were widely used in organising anti-government protests in June. However, as the country is a candidate to be a member of the European Union, the move has also invited criticism from the European Commission. A spokesman said "The Turkish public deserves more information and more transparency, not more restriction(...) The law needs to be revised in line with European standards".

European Union

Google agrees to comply with EU competition commissioner and display fairer amount of competitors in search results

On Wednesday, Google agreed to change the way their search results display competitors suggestions. The company had come under investigation by the European Commission for unfair practises. According to a web metric company, Google has 75% share of the web market in Europe.

During the investigation the commission identified the following as major concerns concerning Google's practices:

1. They do not display fair amount of competitors for specialised services. (For example, when a user is searching for a venue or a product, Google primarily displays suggestions from Google Reviews, rather than alternatives such as Yelp or TripAdvisor.)

2. They use competitors' content in their own specialised services without prior authorisation (such as reviews from competitors websites).

3. When making agreements with Google, publishers have to agree to the exclusivity of Google search advertisements.

The company has agreed to make changes for each of the concerns. However, the agreement was reached without being reviewed by third parties, who would oversee if the commitments were sufficient.

Commercial Stakeholders

Tech companies publish number of content demands by NSA

Following the US Department of Justice's decision, last week allowing tech companies to publish the number of surveillance requests by the surveillance court (FISA), Yahoo, Google, Facebook, Apple, Microsoft and LinkedIn have published their corresponding numbers.

The following list shows the number of US national security content orders, during the first six months of 2013.

• Yahoo - between 30,000 and 30,999 accounts
• Microsoft - between 15,000 and 15,999 accounts
• Google - between 9,000 and 9,999 accounts
• Facebook - between 5,000 and 5,999 accounts
• Apple - between 0 and 249 accounts
• LinkedIn - between 0 and 249 accounts

(Each company has published more details on their respective websites, view these by clicking on the company names)

However, it should be noted that despite the information requests by the FISA court, intelligence agencies can directly intercept popular social networking sites to collect user information as has been revealed by the 'Snowden documents'.

ORG Media coverage

See ORG Press Coverage for full details.

2014-02-06 - Index on Censorship - Around Town: Don’t Spy on Us #TheDayWeFightBack (11 Feb)

Author:David Heinemann

Summary:Open Rights Group action

ORG contact details

Staff page

• Jim Killock, Executive Director
• Peter Bradwell, Policy
• Javier Ruiz, Campaigns
• Lee Maguire, Tech