ORG policy update/2016-w14

This is ORG's Policy Update for the week beginning 04/04/2016.

If you are reading this online, you can also subscribe to the email version.

ORG's Work

  • Opt Me Out Of Location campaign- ORG launched a campaign on opting out of location data being collected by phone companies, following the publication of mobile data report. The campaign has been organised with Krowdthink who published their own report on mobile data collection. The campaign provides public with details on how to opt out of location collection and calls for a change of the consent behaviour of Mobile and Wi-Fi Operators.

Official Meetings

  • Jim Killock attended a public conference on the reform of e-Privacy Directive organised by the Greens in the European Parliament on 6 April 2016, where he presented findings of the mobile data report released this week.


Labour party raises concerns about parts of the Investigatory Powers Bill

Andy Burnham MP has written to Theresa May MP, the home secretary, setting out seven areas of Labour's concern about the Investigatory Powers Bill following the first round of evidence hearings in the Public Committee last week. Burnham said if these concerns are not appropriately dealt with, they will be unable to support the Bill. The particular areas that Labour would like to improve are:

1. New clause on privacy – a presumption of right to privacy should be included at the start of the Bill to set the right context for the rest of the Bill.

2. Internet Connection Records – the Bill goes beyond what is required by the Police and NCA in terms of the ICRs, specifically thresholds and access for public bodies. Burnham said that “I do not think it is necessary or proportionate for information held in ICRs to be accessed in connection with lower-level offences. Instead, I think this threshold should be set at serious crime and that this should be defined in the Bill as an offence that attracts a maximum sentence of not less than three years in prison.”

3. Independent assessment of bulk powers – as previously suggested by contributions at Second Reading of the Bill, the operational case for bulk powers outlined in the Bill leaves something to be desired. Burnham suggests that “the simplest way to proceed would be, firstly, to produce a more detailed operational case and, secondly, to accept the recommendation of the Joint Committee and commission an independent review of all the bulk powers.”

4. Definitions of “national security” and “economic well-being” - the definitions need to be reconsidered and the terms to be defined more explicitly. “Alongside terrorism and serious crime, it could include attacks on the country's critical and commercial infrastructure. If you were to do that, the "economic well-being" test could be then dropped altogether.”

5. Equal-lock judicial authorisation – the double lock authorisation should be swapped for the equal-lock. “That means a judicial commissioner having the same ability to look at the merits of the case and not just the process… In addition, the 'double-lock' is dependent on the judicial commissioner approving the decision of the Home Secretary to issue a warrant as set out in part 17 of the Bill.”

6. Misuse of communications data - “ should be clearer that a criminal offence is created for the deliberate misuse of any of the Bill’s powers. This should relate to both the obtaining of data without due cause and any improper use to which obtained data is put.”

7. Protections for sensitive professions – effective protections need to be brought in to address legal, journalistic and parliamentary privilege.

Burnham emphasised that he hopes they “can together produce a bill that commands a high degree of confidence and trust.”

The Committee is scheduled to have its next hearings to consider the Bill on 12 April and 14 April 2016. Guidelines on how to submit written evidence can be found here.

Intellectual Property Office (IPO) Issued Guidelines on What to Do after Receiving an Infringement Notice

The IPO published guidelines for members of public on what should be their next steps after they receive a letter alleging online copyright infringement. The letters are sent to internet account holders on behalf of copyright owners, alleging a download or upload of copyright protected content on their account without payment. The guideline clearly states not to ignore the letter and provides contact information to places where public can get further assistance. Publication of the guidelines comes after the City of London Police took other steps to combat copyright infringement and shared the Infringing Websites List with the advertising industry. It is likely more initiatives tackling copyright infringement will be put in place due to the upcoming copyright law reform consultations under the European Digital Single Market Strategy.

ORG is preparing a response to these guidelines and will be writing to the IPO to ask for some changes to be made to them.

Other National Developments

UK Terror Watchdog Will Leave His Post Next Year

David Anderson QC, Independent Reviewer of Terrorism Legislation, has confirmed that he does not intend to ask for a third term as Independent Reviewer of Terrorism Legislation after the expiry of his current term in February 2017. Anderson added:

“I have found the job immensely rewarding. But I will soon have submitted some 20 reports over six years, not to mention 5,000 tweets, and expressed my opinions on the terrorism laws (and allied subjects) countless times to parliamentary committees and to media. I believe that from early next year (by which time I aim to have published four further reports), the value I can bring to the role will begin to decline, and that it will be time for a new incumbent with a new set of skills.”

Most recently, David Anderson has been submitting evidence to the Joint Committee (A Question of Trust report) and Public Committee of the Investigatory Powers Bill. He stated that the Bill “gets the most important things right” after it has passed its second reading. He was also tasked with leading an independent review of the powers required by police and spooks, and the regulatory framework within which that law should be exercised, in light of the Data Retention and Investigatory Powers Act 2014.

The hiring process for a replacement will begin in the next month or two, according to Anderson. There is a guarantee of challenging times ahead for the new terror watchdog with the Investigatory Powers Bill becoming an act at the end of 2016.

In his statement, Anderson also said that his office will be appointing three special advisers. The office of Independent Reviewer of Terrorism Legislation was promised additional assistance last year and all three advisers will be serving for at least the remainder of Anderson's time as Independent Reviewer.

They are:

  • Clive Walker QC, Professor Emeritus of Criminal Justice Studies at the University of Leeds, a world expert on counter-terrorism law and my existing special adviser, who will now be in a position to devote more of his invaluable time to the work of the Independent Reviewer.
  • Alyson Kilpatrick BL, a barrister in England and Wales and in Northern Ireland who has served as independent Human Rights Adviser to the Northern Irish Policing Board since 2009.
  • Hashi Mohamed, a practising member of the Bar of England and Wales and an occasional broadcaster, including on terrorism and migration.

UK Computer Scientist Told to Hand Over His Crypto Keys in US Hacking Case

The National Crime Agency (NCA) demanded that a British computer scientist, Lauri Love, decrypts his laptop and other devices impounded by the NCA in 2013. He is, allegedly, responsible for damages amounting to several million dollars after breaking into US government networks. The decision in this case could set a precedent for whistleblowers and journalists. Love was initially arrested in 2013 for alleged intrusions but subsequently released. He was rearrested in 2015 and is now fighting extradition to the US. In the meantime, he has refused to comply and decrypt his devices which could potentially lead to jail time. Love has not been charged with any crime and currently is counter-suing for the return of his devices. This case is particularly worrisome because the UK agency can force Love to comply and to decrypt all of his devices, and consequently turn the evidence to the US. This case would suggest that “the right not to provide evidence against oneself is cherished in the US and around the world but apparently not so in the UK”, said Dr Richard Tynan of Privacy International. Love said that “the NCA are effectively arguing that any information that cannot be read and comprehended by the police has a presumption of guilt." The NCA's argues that Love should decrypt his devices to demonstrate that the data they contain belongs to him and demands that Love provide a witness statement indicating his entitlement to the allegedly stolen data. The decryption demand arguments will be heard in the court on 12 April 2016. Love’s extradition case is still ongoing and the extradition hearing is set for 28 to 29 June 2016.


EU-Canada PNR Agreement Hearing

The European Court of Justice held a hearing on 5 April on the EU-Canada agreement on Passenger Name Records (PNR). The hearing was set up to decide about the referral made on 25 November 2014 by the European Parliament on the EU-Canada agreement on PNR and its compliance with EU law. Passenger Name Records include such information as name and contact information, the date of the travel and complete itinerary, the form of payment, frequent flyer information, meal preferences and medical information, and in some cases they will include data on hotel bookings, car rentals, train journeys, travel associates, etc. All the different types of information that can be collected create a substantial insight into the individual's private life and pose a threat to privacy. The agreement between the two countries allows for the transfer of passenger’s information flying between the European Union and Canada. The result of the referral could have a further impact on the proposal for a PNR directive (Fight against terrorism and serious crime: use of passenger name record (PNR) data).

Four main issues came up during the hearing:

  • ambiguity on anonymization – the European Commission claimed that the data is anonymized after 30 days; however the data is merely depersonalized by masking certain identifiers which does not qualify as anonymization;
  • relevance of the collection of PNR to fight crime – there are no convictions made based on the PNR data;
  • inconsistency with data retention periods between other countries and the EU – the period currently varies from five to 15 years in other countries;
  • oversight in Canada PNR is not carried out by an independent authority.

The hearing highlighted that PNR collection is not a proportionate means to prevent international crime and terrorism in the EU. A nonbinding opinion from the Advocate General of the Court is expected on 13 June 2016, with a final ruling to follow after the summer.

Advice of EU Advocate General on Copyright Infringement

Advocate General, Melchior Wathelet, has sent a statement to the European Court of Justice on copyright infringement related to hyperlink. In his advisory opinion, the Advocate General reviewed a dispute between the Dutch weblog and Playboy. The Dutch portal published a post linking to leaked Playboy photos in 2011. The Dutch Court asked the European Court of Justice to rule whether these links can be seen as a “communication to the public”under Article 3(1) of the Copyright Directive, and whether they constitute copyright infringement. The Advocate General acknowldged that the hyperlinks facilitate the discovery of the copyrighted works; howver, it is not copyright infringement.

He said:

“The actual act of ‘making available’ is the action of the person who effected the initial communication. Consequently, hyperlinks which are placed on a website and which link to protected works that are freely accessible on another site cannot be classified as an ‘act of communication’ within the meaning of the Directive.”

The advice of Advocate General is not binding, but often the European Court of Justice uses such advice to support its rulings. The advice could set a landmark ruling; however the Court stresses that the advice only applies to this particular case. The final ruling is expected to be released later this year.

The case and final ruling will have implications for website blockings by Internet Service Providers in the UK. The ISPs currently block access to sites that are suspected of linking to pirated content. In the UK, this is still considered a copyright infringement. If the advice of the Advocate General is followed in the upcoming ruling, the UK will likely have to adjust the stance on whether linking to pirated content is copyright infringement.

International Developments

Panama Papers and Journalistic Privilege

The Panama Papers, an unprecedented leak of 11.5m files from one of the biggest offshore law firms, have serious implications for journalists and protection of their sources. Protection of the journalistic privilege has been discussed under the latest draft of the Investigatory Powers Bill. The Bill in its current state fails to provide sufficient safeguards for journalists (and legal professional privilege) by ignoring “the clear distinction between privileged and non-privileged communications and gives authorities the power to intercept sensitive, highly confidential communications that have nothing to do with criminality, national security or threats to individuals”, said Peter Carter QC.

Michelle Stanistreet, National Union of Journalists general secretary, said:

"The current proposals contained within the investigatory powers bill justify the state surveillance of journalists and represent a significant threat to press freedom in the UK.

"The Panama papers clearly show the importance of protecting journalistic communications and sources from state surveillance. We are urgently calling on all politicians to take action and amend the legislation to safeguard press freedom in the UK."

Unsatisfactory protection of sensitive professions was raised earlier this week by Andy Burnham MP in his letter to the home secretary, Theresa May MP, where he threatened that Labour might withdraw support for the Bill if the Bill fails to provide better safeguards for legal, journalistic and parliamentary privilege.

The sections of the bill that impact on journalists include powers to:

  • Obtain journalistic communications data
  • Intercept journalistic communications
  • Access and examine citizen’s bulk data
  • Interfere with equipment (hacking computers to gain access to passwords, documents, emails, diaries, contacts, pictures, chat logs and location records and/or turn on microphones or webcams and/or alter or delete items).

Clause 68 of the Bill does not offer extensive safeguards for the media. It lacks prior right of notification for the journalist or media organisation and mechanisms to challenge or appeal the decision. Under this clause, the Investigatory Powers Bill would make it very difficult for journalists to protect sources and whistleblowers.

End-to-end Encryption for WhatsApp

WhatsApp revealed that the company has added an end-to-end encryption to every form of its communication service. It uses the Signal protocol (formerly known as Axolotl), which was created by Moxie Marlinspike’s Open Whisper Systems. Open Whisper Systems has received a total of $2.25 million from the Open Technology Fund whose primary funder is the United States government. WhatsApp’s white paper explains that the encryption protocol uses perfect forward secrecy, meaning that "even if encryption keys from a user’s device are ever physically compromised, they cannot be used to go back in time to decrypt previously transmitted messages."

Following the Apple-FBI case of a locked iPhone in San Bernadino shootings, it is likely that WhatsApp will shortly be facing the government in court after the move to end-to-end encryption. In 2014, WhatsApp encrypted a portion of its network and it has been reported that the service has been used to facilitate criminal activity. The recent developments are bound to lead to further discussions on cooperation of tech companies with government for the sake of fighting crime on national and international level.

ORG Media Coverage

See ORG Press Coverage for full details.

2016-04-04-Google's parent company is deliberately disabling some of its customers' old smart-home devices
Author: Rob Price
Summary: Jim Killock quoted on the lack of transparency from Nest towards their customers about their products.
2016-04-04- Public open to cybercrime thanks to location tracking
Author: Jane MacCallion
Summary: Jim Killock quoted on mobile data being used by mobile companies for other purposes without customers’ consent.
2016-04-04-British mobile phone users’ movements 'could be sold for profit’
Author: Damien Gayle
Summary: Jim Killock quoted on mobile data being used by mobile companies for other purposes without customers’ consent.
2016-04-04-British Mobile phone users most vulnerable to cyber criminals
Author: CIOL writers
Summary: Jim Killock quoted on mobile data being used by mobile companies for other purposes without customers’ consent.
2016-04-05-Wikimedia Sweden art map 'violated copyright'
Summary: Jim Killock quoted on the necessity for “freedom of panorama” for ordinary photographers in the digital age.
2016-04-05-Mobe and Wi-Fi firms flog your location data to commercial firms, claim reports
Author: Alexander J Martin
Summary: ORG published a report on how phone companies exploit their customers’ data.

ORG Contact Details

Staff page