ORG policy update/2015-w39

This is ORG's Policy Update for the week beginning 21/09/2015

If you are reading this online, you can also subscribe to the email version.

National Developments

New documents leaked showing GCHQ mass surveillance operations

Documents published by The Intercept reveal GCHQ keeps a very large repository of metadata called Black Hole, collecting 50 Bn records a day of innocent people. GCHQ used Black Hole as a basis for several surveillance programmes, including KARMA POLICE which aims to create a web browsing profile of “every visible user on the Internet” or a user profile of every visible website. The article shows how GCHQ relies heavily on cookies, including from pornography and social media websites. The documents attached include insights on the very lax regulation governing access to metadata - including from British citizens - by GCHQ. Other examples of uses of the data include the analysis of a sample of seven million records to profile listeners of radio stations airing Islamic content.

The revelations have exposed the unaccountability of the UK intelligence service, particularly when it comes to metadata, which The Intercept attributes to an “opaque legal regime” and contrasts with the government's continued request for more surveillance powers.

Buried in the article is the very important admission by GCHQ that they can access “the majority of the 1600” Internet cables passing through the UK.

Surveillance watchdog finds more breaches of RIPA code by Police Scotland's Counter Corruption Unit

Since March 2015, UK police have been required to follow the Acquisition and Disclosure of Communications Data Code and seek judicial approval before using the Regulation of Investigatory Powers Act (RIPA) to investigate journalists and identify their sources. RIPA allows police forces access to communications data and can be used to identify whistleblowers. The March code was introduced after widespread use of RIPA against journalists.

In July the Interception of Communications Commissioner's Office (IOCCO) announced that two forces had broken this code, one of whom was identified by The Herald as Police Scotland's Counter Corruption Unit (CCU). The ensuing IOCCO investigation has now identified further breaches by the CCU. Scottish politicians, including Scottish Liberal Democrat leader, Willie Rennie, have expressed concerns about the conduct and accountability of the police and called for further safeguards to prevent further breaches.

NHS health apps fail to protect personal data

Three studies published by Imperial College London researchers have exposed privacy flaws in a large number of apps in the NHS England Health Apps Library. The research looked at 79 apps, and found that 70 transmitted personal data over the internet, 38 had an unclear privacy policy and 23 sent personal, identifying data – some also sending personal health data - without encryption. The nature of the information sent opens up users to identity theft and fraud, and The Guardian highlights the dangers of this alongside the government's aim to increase use of online and mobile technology in health services. The worst offending apps have now been removed from the Library.

Surveillance Commissioner and Assistant Surveillance Commissioner appointments announced

Colin Mackay and Brian Barker have been appointed as Surveillance Commissioner and Assistant Surveillance Commissioner respectively. The Office of Surveillance Commissioners (OSC) provides oversight of those using covert surveillance, as defined by the Regulation of Investigatory Powers Act (i.e. it does not cover the use of surveillance by Security Services). It is a tribunal non-departmental public body of the Home Office, consisting of a Chief Surveillance Commissioner, six Surveillance Commissioners and three Assistant Surveillance Commissioners.

Digital Economy Inquiry accepting submissions

The Digital Economy Inquiry has been launched by the Business, Innovation and Skills Committee. Its scope includes intellectual property and “potentially disruptive technologies”. Written submissions can be made online and the deadline is 29 October 2015.

Legal Developments

CJEU Advocate General Bot declares EU-US Safe Harbor agreement invalid

The Advocate General of the Court of Justice of the European Union, Yves Bot, has issued an opinion declaring the Safe Harbor agreement invalid. Safe Harbor is the agreement between the European Commission and the US to ensure the adequacy of US data protection measures and permit the transfer of personal data from the EU under the Data Protection Directive.

The opinion follows the referral of a case to the CJEU by the High Court in Ireland after the Irish Data Protection Authority (DPA) refused to consider Austrian campaigner, Max Schrems' complaint that the transferral of his personal data to the US by the European Facebook subsidiary based in Ireland is in breach of European data protection law. His claim is based on the revelations regarding widespread surveillance by the NSA in the US.

In the opinion, the Advocate General states that the European Commission decision on Safe Harbor does not reduce or eliminate the role of national supervisory authorities to assess complaints about it. He also declares Safe Harbor invalid on the basis that the US intelligence services carry out large-scale mass collection of data and the agreement does not afford any "effective judicial protection" for EU citizens. He argues that these issues mean that the Safe Harbor agreement fails to meet the requirements of the Data Protection Directive and constitutes an interference with European Charter rights.

The Advocate General's opinion is not legally binding, however his opinions are usually highly influential on the CJEU's decisions. Should the CJEU follow his opinion in their ruling, European member states will be obligated to follow the judgment and companies may need to tighten their data protection measures in order to meet European requirements.

French data protection authority rejects Google Right to be Forgotten appeal

CNIL, the French data protection authority, has rejected Google's appeal against the May 2015 decision that they must remove links which meet the Right to be Forgotten criteria from non-European domains such as Following on from the CJEU's decision in the Google Spain case, Google has been required to remove links to personal data where they are incompatible with the Data Protection Directive. Google has responded to this requirement so far by delisting from European domains only. CNIL argue that this is insufficient to fully adhere to the data protection legislation as European internet users would otherwise be able to access delisted information through or other non-European domains. Google have criticised the requirement to apply the French decision globally as a form of censorship and an extension of European law beyond its jurisdiction. They must now either delist or face a fine, although further opportunities for an appeal are available should they be fined.


European Commission launch consultations on geo-blocking and platforms and intermediaries

The Commission have launched a public debate with online consultations on geo-blocking and other geographically-based restrictions when shopping and accessing information in the EU and on the regulatory environment for platforms, online intermediaries, data and cloud computing and the collaborative economy.

International Developments

Large tech companies give support to US bill granting government wider surveillance powers

Several leading technology firms, including IBM and Microsoft, have signed a letter supporting the Cybersecurity Information Sharing Act, which would override privacy policies and allow technology companies to share personal user data with the government without the need for judicial authorisation. The Act has been described as a “mass surveillance bill posing as a “cybersecurity” bill”.

Chinese president meets with US tech firms to discuss trade, after government writes to them about “national security” measures

The Intercept has drawn attention to Chinese president, Xi Jinping's, meeting with the leaders of the US tech industry at the US-China Internet Industry Forum on Wednesday. This follow's reports last week that the Chinese government sent letters to certain US technology firms requesting their compliance with national security measures when operating in China. The New York Times explains that such compliance extends to incorporating backdoors in encryption for the Chinese government and allowing the authorities access to user data. Amnesty International have called for tech firms to defend internet freedom and to ensure they are not complicit in technology-based human rights abuses.

ORG Media coverage

See ORG Press Coverage for full details.

2015-09-23 – BBC News Online - VW: Calls to let car software be examined by experts
Author: Leo Kelion
Summary: Pam Cowburn quoted on the need for openness from car companies on the technology they use and the dangers of restricting access to for research purposes.

ORG Contact Details

Staff page