ORG policy update/2016-w13

This is ORG's Policy Update for the week beginning 28/03/2016 If you are reading this online, you can also subscribe to the email version.

Parliament

Investigatory Powers Bill Public Committee Debate

The first and second sitting of the Public Committee debate were held on 24 March 2016. A number of witnesses gave oral evidence to the Committee. A list of submitted written evidence can be found here.

The Committee will be meeting again on 12 April and 14 April 2016.

To submit written evidence, follow the guidelines here.

Investigatory Powers Bill - Don't Spy On US and Liberty Gave Oral Evidence

Eric King (Don't Spy On Us) and Sara Ogilvie (Liberty) gave oral evidence on bulk powers and internet connection records (ICRs) to the Public Committee on 24 March 2016. In the evidence they highlighted that:

Bulk interception is not proportionate – it is impossible to craft a warrant that would appropriately assess the proportionality equation in the current conditions. These powers need to be targeted. They will generate some additional collateral but it needs to be proportionate collateral.

There is an issue with the current legal framework not recognising the shift in massive computing power intruding on communications in a sophisticated way.

Eric King said that “the main reason for that is that it is time consuming. If you can program a computer to do the heavy lifting, to do the intrusion, the processing and the analysis, that is to their advantage, and that is where they have put that.”

The sheer volume of information does not constitute less of a threat to privacy. Computer analytics of such materials is going to increase, meaning more data will be collected, the more intrusion will be applied by finding cheaper, faster and better ways to process it. “Perhaps five years ago, swamping agencies with material might have resulted in people passing through, but every day, that becomes less likely and less real,” King said.

There has been a lot of focus on the fact that bulk interception would be foreign-focused; however the nature of current technologies fails to make this a practical reality. The goal to collect material outside the UK using bulk interceptions is unattainable.

The operational case for bulk powers would benefit from a whole range of experts outside the Information and Security Committee (ISC) to be looking at this issue. It is advisable to follow the example of the US – to have an independent scrutiny of many of the operational cases for test purposes.

David Anderson is not persuaded of the same case. He stated in his oral evidence that “the ISC demonstrated its independence in the most dramatic way possible in its report of early February when it declared that it thought that there was no need for one of the bulk powers—bulk equipment interference.”

The ICRs do more than they are supposed to in terms of creating a database of internet connections of every person across the country that take place on a daily basis. All the information that is stored somewhere can be accessed by other individuals for nefarious purposes.

The bulk nature of ICRs will fail to deliver information that would be considered helpful.

Sara Ogilvie said that “if anything, it seems more likely to drive criminals to use bits of the internet that will not be captured by the service. On the one hand, we have clear evidence of the things that law-abiding citizens are doing, but on the other hand, we do not have evidence on what criminals are likely to be doing.”

The ICRs are not the answer to identifying abusers in the UK. The proposal by the police did not have the same scope of the ICRs as it appears in the Bill. It might be more proportionate to put in place new powers for IP resolution as specified in the Counter-Terrorism and Security Act 2015.

Dr Paul Bernal brought forward, as part of his written evidence, an alternative suggestion “that Internet Connection Records be removed from the Bill until a two-year independent feasibility study is undertaken, after which a decision could be made whether or not add them to the law.”

The reassurance of judicial commissioner being granted broader powers needs to be coined in legislation.

David Anderson clarified that he found it sufficient to have the powers of judicial commissioner lined out in the code of practice. “I would certainly assume that the judges would have access to all the evidence that the Home Secretary or the Secretary of State had access to. I believe I have actually had a private assurance that that would be the case. I am afraid I have not checked to see whether that is in the code of practice, but plainly it ought to be, because this is not a rubber-stamp and nor is it simply a test of rationality or process. If it needs to, it should involve a proper look into these issues of necessity and proportionality.”

More from David Anderson’s written evidence can be found here.

Investigatory Powers Bill - National Crime Agency gave oral evidence

In their oral evidence given later the same day, the National Crime Agency (NCA) clearly specified what they expect to get from the ICRs:

“We believe that what we will get is down to the domain name, so it will give us, for example, The Guardian newspaper website, the easyJet website, or thetrainline.com. It will not give us beyond that. If we wanted to go beyond that, we would then have to go to that company with the appropriate authorisation in order to obtain any further details. What we need is to get to the front door. That is what we have been asking for.”

Keir Starmer further questioned what in the definition in the Bill would constitute that the ICRs are merely getting the law enforcement agencies to “the front door” and not any further. The Bill does not offer such definition at present; however, Chris Farrimond (NCA) agreed that as long as the definition meets their requirements that have been put forward, they would not oppose clearer definition of ICRs as a “front door” opener.

The NCA would use ICRs in a similar manner they use communications data. “That is potentially to identify further lines of inquiry—for example, that communications service that is accessed. It could be for evidence of illegal material, or the use of illicit material, whether that be child abuse imagery or counter-terrorism-related material, but also to provide a seed for further inquiry, such as thetrainline.com for us to establish, for example, where a suspect has travelled to and where they are intending to travel to.”

Investigatory Powers Bill – written evidence submitted by IT – Political Association of Denmark

IT-Political Association of Denmark (IT-Pol) is a Danish civil society organisation that works to promote privacy and freedom in the information society. Denmark was facing a similar proposal to internet connection records - a “session-logging” system. On 17 March, Danish justice minister Søren Pind abandoned the session-logging scheme for the second time. Based on their experience, IT-Pol submitted written evidence to the Public Committee with recommendations as follows:

The Danish experience with ICR data retention casts serious doubts on whether it is possible to develop an ICR implementation which keeps costs at a reasonable level and, at the same time, is sufficiently effective for law enforcement. The new, very expensive Danish ICR proposal does not even include the server name and hence the need for DPI.

The Home Office expects that the cost of ICR data retention will be 175 million pounds over a 10-year period. This is unlikely to be sufficient (given the Danish cost projections) unless ICR retention notices are only used for a small part of British internet access services.

(The cost of the data retention has been criticized by Lord Strasburger.)

Therefore, the ICR plans will either be very expensive or have limited coverage. Moreover, the purpose of ICR collection is very easily defeated. Using a VPN connection or the Tor network will effectively hide the final destination of the internet traffic and make the collected ICR data useless from the viewpoint of law enforcement.

For these reasons, and in particular the lack of proportionality for ICR data retention, IT-Pol recommends that the Investigatory Powers Bill is amended so that retention notices cannot include internet connection records.

Investigatory Powers Bill - written evidence submitted by Apple, Facebook, Google, Microsoft, Twitter and Yahoo

Apple, Facebook, Google, Microsoft, Twitter, and Yahoo joined other tech companies submitting written evidence to the Public Committee on 24 March. They addressed what they regard as problems that have previously been highlighted with the bill, and not yet adequately dealt with. Some of the issues in question are:

Extraterritorial jurisdiction

“Unilateral assertions of extraterritorial jurisdiction will create conflicting legal obligations for overseas providers who are subject to legal obligations elsewhere. … We believe a more sustainable and workable approach lies in developing new international agreements.”

Technical issues – encryption

“The Bill should be amended so that there is an explicit threshold: where a service is encrypted end-to-end, the Bill should recognise it will not be reasonably practicable to provide decrypted content, rather than leave this to be established on a case-by-case basis” “The Bill should be amended to make clear that ‘third party data’ cannot be collected, either directly or indirectly via provisions on ICRs.”

Bulk collection-

The companies call for more explicit language when it comes to bulk powers - any collection should be pursuant to a specific identifier. The companies “also believe that the general safeguards sections should explicitly include 'minimization' provisions, ensuring that only the necessary and proportionate amount of data is obtained, analysed and retained. All other data should be destroyed.”

Oversight -

The requirements stated in the evidence underline an oversight structure as an essential key to public confidence. Amendments should “empower the Judicial Appointments Commission to appoint the Investigatory Powers Commissioner and the Judicial commissioners; and provide for a statutory provision in the Bill that the Investigatory Powers Commissioner and the Investigatory Powers Tribunal can act on complaints from any party, including overseas CSPs, without either committing a disclosure offence or accepting jurisdiction.”

Network integrity and cyber security requirements-

The evidence criticised that there are no statutory provisions relating to the importance of network integrity and cyber security, nor a requirement for agencies to inform companies of vulnerabilities they identify and may be exploited by other actors. (A sensitive requirement due to the present development of the Apple v. FBI case). The amendments the companies suggest are:

a) prohibit the execution of a warrant that would result in an interruption of service to users of the targeted system; b) introduce statutory provisions recognising the importance of network integrity and cyber security;c) provide reassurance on the face of the Bill that there is no conflict with CSPs’ statutory obligations to keep user data and infrastructure secure; d) require UK authorities to notify any relevant company of vulnerabilities when a warrant either expires or is cancelled.

Ministerial Statement on National Cyber Security Centre

The Cabinet Office released a statement that the new National Cyber Security Centre (NCSC) will open in October 2016. The NCSC will be a part of GCHQ and will be bringing together cyber security functions from across government. The current functions of Computer Emergency Response Team UK (CERT-UK), currently under Cabinet Office, will move into the NCSC. The NCSC will focus on the financial sector as a top priority. One of the NCSC’s first tasks will be to work with the Bank of England to produce advice for the financial sector for managing cyber security effectively.

Strategic Defence and Security Review confirmed that the Government would invest £1.9 billion over the next five years in protecting the UK from cyber attack and developing our sovereign capabilities in cyber space, including by creating a national cyber centre in 2015.

Other National Developments

PIPCU Shares the Infringing Websites List with Ad Industry

The Police Intellectual Property Crime Unit (PIPCU) in partnership with the Internet Advertising Bureau UK (IAB UK), Institute of Practitioners in Advertising (IPA), Incorporated Society of British Advertisers (ISBA) and support from creative industry groups released the Infringing Website List (IWL). The list was created to tackle sites that provide unauthorised access to copyrighted content as a part of Operation Creative. Operation Creative is the successor to previous campaigns initially targeting site owners, demanding to act legally or stop their service, followed by another campaign targeting domain registrars, asking them to suspend the domain names of several “pirate” sites. The IWL is an online portal containing an up-to-date list of allegedly copyright infringing sites, identified and evidenced by the creative industries and verified by the City of London Police unit. The aim of the IWL is that advertisers, agencies and other intermediaries can voluntarily decide to cease advert placement on these illegal websites and maintain their brand safety. The publication of the list aims to disturb advertising revenues of infringing websites worldwide. The list is not however subject to any independent court authorisation or verification.

However, the City of London Police made clear that the list will not be made available to public. This creates a threat of overblocking without any public oversight. While the objective of reducing monetary flows to infringing websites is legitimate, as neither the private actors nor the police are directly supervised by the courts, there are worrying aspects to the current approach.

Edward Snowden Correspondence Released

Foreign and Commonwealth Office (FCO) released correspondence about Edward Snowden, responding to a request made under the Freedom of Information Act. Some of the information has been withheld on the basis of a number of exemptions: section 23 (Information supplied by or relating to security bodies), section 24 (national security), section 27 (international relations), section 35 (formulation of government policy), section 40 (personal data) and section 41 (information provided in confidence) of the Freedom of Information Act 2000.

The information is free to be used for personal purposes, non-commercial research and news reporting.

Any other re-use would require a permission of the copyright holder (most documents released by the FCO are protected by the Crown Copyright).

UK submitted response to UN Working Group on Assange case

The UK submitted a formal response to the UN Working Group on Arbitrary Detention (WGAD) related to Julian Assange case. WGAD's opinion, published on 5 February 2016, articulated that the actions of the UK and Sweden constituted arbitrary detention, and that the detention violated his rights. In the wake of the published statement, Julian Assange said that he expects the “immediate return” of his passport and a stop to further attempts to arrest him.

The UK submitted a “formal request for consideration”, stating that:

Julian Assange has never been the subject of arbitrary detention. His human rights have been protected throughout the process and will continue to be protected if and when he is extradited to Sweden;

Julian Assange was refused bail and therefore detained for 10 days in Wandsworth Prison. His detention during that period was absolutely in line with the relevant legislation and regulations.

Julian Assange lost appeals at all stages of the court process. The fact that the court process took some 18 months cannot be considered excessive or unfair in any way. During this period he was granted bail and so cannot be considered to have been detained.

Opinions formulated by the UN Working Group are not legally binding. The Working Group’s decision on whether or not to review their opinion will be made during the next session, starting on 18 April 2016 in Geneva.

Europe

Emergency Hearing on the Bulk Interception of Communications Data

An emergency hearing on the bulk interception of communications data has been scheduled for 12 April 2016 at the European Court of Justice (ECJ). The dispute concerns powers of the Home Office “to require public telecommunications operators to retain communications data for a maximum period of 12 months.” The judge noted that “it is clear that national legislation that permits the retention of all electronic communications data and subsequent access to that data is liable to cause serious interference with the fundamental rights laid down in articles 7 and 8 of the Charter” of Fundamental Rights of the European Union. The final ruling could have an impact on the powers of GCHQ. The hearing is a result of the effect of ECJ ruling for Digital Rights Ireland. This precedent was used previously to overrule Data Retention and Investigatory Powers Act 2014 (DRIPA) on the grounds that it is “inconsistent with European Union law”. April's hearing is expected to be attended by David Davis MP and Tom Watson MP, who already brought DRIPA to the ECJ for scrutiny. The case has been brought forward with an intervention from the Open Rights Group, Privacy International, and The Law Society of England and Wales.

Public consultation on the role of publishers in the copyright value chain and on the 'panorama exception'

The European Commission is launching a public consultation on the role of publishers in the copyright value chain and on the 'panorama exception'. The consultation period runs from 23 March to 15 June 2016. The issue of publishers and copyright value chain has been labelled by media as Google tax on snippets, which would require search engines to pay for using short extracts to link to articles on other sites. Despite the fact that the European Parliament's legal affairs committee rejected the approach in its report on updating copyright, the EU's commissioner for digital economy and society, Günther Oettinger, said that he was "open" to the idea of taxing snippets. This persistent stance is surprising, taking into consideration the evidence from publishers claiming that the “neighbouring rights” harm them. In Spain, this law resulted in Google withdrawing their Google News service after it was clear Google would be subjected to payments to publishers for snippets. Similarly in Germany, publishers ended up giving Google free licenses to their materials.

International Developments

FBI Cracked San Bernardino iPhone without Apple's Help

Government prosecutors have submitted a formal request to a federal judge to cancel her previous order compelling Apple to assist with unlocking an iPhone used in San Bernardino attacks in 2015. The request came after FBI was able to access the data stored on the iPhone and no longer required the assistance from Apple. The Israeli firm Cellebrite was potentially working for the US government to unlock the phone, and it has been speculated that the method was a NAND mirroring attack. FBI director James Comey insisted previously that the whole case is about fighting terrorism and not setting a legal precedence. Prior to this new development, Apple made a statement that it would insist in court on knowing everything about the vulnerability. Government is reluctant to disclose to public whether they will pass information on the access method to Apple. In general, it appears they are unlikely to disclose full details of their techniques to Apple since they do not face any legal obligation to reveal such details.

However, the new method of accessing the phone raises questions about the government’s apparent use of security vulnerabilities in iOS. A decision to withhold disclosure of vulnerabilities would leave ordinary users at risk from malicious third parties who also may use the vulnerability. The US government released an official policy for determining when to disclose security vulnerabilities, the Vulnerabilities Equities Process (VEP). If the FBI used a vulnerability to get into the iPhone in the San Bernardino case, the VEP must apply and Apple must be informed of the vulnerability to maintain their users' security.

ORG Media Coverage

See ORG Press Coverage for full details.

2016-03-24-Sputnik News - Brussels Bombings Bring Calls for Greater Surveillance Powers: Summary: ORG quoted on gathering bulk communications data being a breach of privacy.

2016-03-29-The Register - William Hague: Brussels attacks mean we must destroy crypto ASAP: Author: Alexander J Martin; Summary: Jim Killock quoted on judges being better equipped for issueing authorisation for interception warrants.

2016-03-29–Infosecurity – Magazine - San Bernardino Case May be Over, but Gov Access Issue Will Not Go Away: Author: Michael Hill; Summary: Jim Killock quoted on it being advisable that FBI discloses the insecurity to Apple to uphold general computer security.

2016-03-30- Guardian - UK plans to track all internet connections could cost £1bn, campaigners warn: Author: Alan Travis; Summary: ORG, as a member of the Don't Spy On Us coalition, quoted on estimated costs of web history data retention.

2016-03-30-The Inquirer - Snoopers' Charter could cost local police forces £1bn: Author: Dave Neal; Summary: ORG, as a member of the Don't Spy On Us coalition, quoted on estimated costs of web history data retention.

2016-03-30-BBC News - Sex worker caught by 'drone vigilante' pleads guilty: Author: Chris Baraniuk; Summary: Jim Killock quoted on what the general issues drone owners are facing with regards to privacy.

ORG Contact Details

Staff page