This is ORG's Policy Update for the week beginning 11/04/2016.
If you are reading this online, you can also subscribe to the email version.
- ORG submitted written evidence on the Request Filter to the Public Committee on the Investigatory Powers Bill before its third and fourth sittings on 12 April 2016.
- Jim Killock attended The 2016 BILETA conference organised by the University Of Hertfordshire School Of Law and participated in the panel on surveillance and bulk powers.
- Javier Ruiz attended an ePrivacy workshop " Towards a future proof ePrivacy Legal Framework" in Brussels that followed the launch of consultation on the Evaluation and Review of the ePrivacy Directive ..
IPBill Public Committee Sittings
The Public Committee on the Investigatory Powers Bill had its 3rd and 4th (12 April) and 5th and 6th sittings (14 April). The Committee was discussing amendments to the Bill. SNP have tabled “radical amendments” to the IPBill concerning removal of the Request Filter (there has not been any vocal support from Labour on this occasion). They have also pushed for removing extraterritorial effects of warrants in the Bill and presented a case to move Single Point of Contact (SPoC) scheme under authority of the Investigatory Powers Commissioner. During the third and fourth sittings, the main concerns were raised over amendments on:
- lack of safeguards for secondary data
Keir Starmer questioned the safety of the wide bulk retention powers in relation to secondary data and called for amendments for targeted safeguards.
a) Systems data - defined as data which enables or otherwise facilitates, or identifies or describes anything connected with enabling or facilitating, the functioning of any postal service, telecommunications system or any telecommunications service provided by means of the system or any other relevant system or service provided by means of that relevant system;
b) Identifying data - data which can be logically separated from the communication and which does not, once separated, reveal the meaning of the content of the communication. Identifying data is defined as data which can identify, or assist in identifying, any person, apparatus, telecommunication system or telecommunications service, or which identifies an event, or may be used to identify the location of any person, event or thing.
Joanna Cherry said: “Our amendments would apply the same processes and safeguards for the examination of information or material obtained through bulk interception warrants and bulk equipment interference warrants, irrespective of whether the information or material pertains to individuals in the British Isles, and to require a targeted examination warrant to be obtained whenever secondary data obtained through bulk interception warrants and equipment data and information obtained through bulk interference warrants are to be examined.”
A point about targeted examination warrants made by both Labour and the SNP was contradicted by John Hayes MP who claimed that secondary data is necessary to be accessed without a warrant in order to be able to assess if they are located in the UK.
The question of warrants sparked further discussion of amendments of their definition. Keir Starmer endorsed mandatory use of equipment interference warrants but stressed it is necessary to limit them in their definition. On the other hand, Simon Hoare claimed that “we must fetter those who wish this country and its citizens ill, so it is potentially a good idea to have some breadth in the definitions.” John Hayes later reassured the Committee members that the warrants will be targeted after they were previously questioned by Joanna Cherry.
David Anderson QC expressed appreciation for the inclusive attitude of the Solicitor General towards the standing council role as amicus curiae in relation to applications for approval of warrants. The Committee agreed on the majority of clauses discussed that day (up to Clause 29). Clause 14 on obtaining secondary data was agreed to be left out. Only a handful of amendments were accepted on the day. Some of them have been withdrawn. Joanna Cherry, especially, withdrew some of her amendments so they would not be shut down now and could be discussed at a later stage.
- extraterritoriality – dilemma of foreign companies and the necessity to comply with the UK law is likely to cause conflict of laws
- public interest defence for whistleblowers
- intercept evidence and its admissibility in court
More details on the later sittings will follow next week.
IPB Written Evidence - ORG Request Filter
Open Rights Group has submitted a report on the Request Filter to the IPB Public Committee prior to its third sitting. The report explains that because the Request Filter allows automated searches of very large datasets it can comprise a highly intrusive search facility that has the potential for population profiling, fishing trips and generation of new data. The report gives advice on how to restrain the filter. “ORG’s view is that the Request Filter should be deleted from the Bill. While data correlation and minimisation techniques can be legitimately used, we believe that provision of a common front end search to highly intrusive datasets is simply too open to abuse and mission creep.” The SNP tabled several amendments to remove the Request Filter.
IPB Written Evidence – National Union of Journalists
- Safeguards for journalists should apply across the different powers set out in the bill and not just apply to communications data.
- Protections for journalists should apply to communications, material and activity regardless of whether or not the authorities intend to identify a journalistic source.
- The new powers in the bill should involve an open and inter partes process. The media need to be able to challenge and appeal requests so that public interest and press freedom arguments are put forward and considered.
- The IPB should not enable the state to interfere in the legitimate and democratic activities of independent trade unions
The NUJ held a Speak in Safety event on 11 April to challenge MPs to scrutinise the IPB. Legal experts called for greater protection in the Bill for Legal Professional Privilege alongside representatives of the National Union of Journalists (NUJ) who claimed that the draft in its current form would sound the ‘death knell’ for whistleblowing and investigative journalism. Chantal-Aimée Doerries OC, chairman of the Bar Council for England and Wales, said these powers should be given only in exceptional and compelling cases, where there is fear of an imminent threat of death or serious injury or a serious threat to national security. She said people and governments in the Far East look to Britain for an example of how to behave and this bill could be used as an example for regimes to undermine individual freedoms in other parts of the world .
Michelle Stanistreet, NUJ general secretary considers the bill a major threat to journalists being able to do their job. “Journalists and society needs an open and transparent process if the authorities used these powers. Government has ignored advice from many quarters, including the parliamentary intelligence and security committee, and has used spin and lies to defend the bill. The unintended consequence will be to destroy people’s confidence in being able to approach a journalist to uncover abuse of power. It will also undermine the effectiveness of trade unions.” Amendments regarding the position of journalistic and legal privilege were discussed on 14 April.
IPB Written Evidence – National Crime Agency
The National Crime Agency has submitted evidence that offers bigger detail on a number of issues:
- clarification of what legislation currently governs Law Enforcement’s use of the powers that are being refreshed in the IPB;
- common misconceptions in respect to Law Enforcement’s use of investigatory powers and the provisions that the IPB make for Law Enforcement;
- the Law Enforcement authorisation process for the three powers of targeted Communications Data (CD), Equipment Interference (EI) and Lawful Intercept (LI) as they currently stand under existing legislation; and
- examples of the use of EI and CD for law enforcement investigations into a range of criminal activity.
The report contains several detailed diagrams for obtaining warrants. Previously, an independent scrutiny revealed that the NCA used flawed warrants to search properties and seize evidence in hundreds of live cases. The failings are so serious that key evidence could have to be relinquished in 51 cases being brought against some of Britain’s most serious gangsters, the review found, while technical errors will have to be disclosed to the defence in a further 242 cases.
List of Written Evidence Submitted to the IPB Public Committee
The full list of written evidence can be found here.
Oral question – Vehicle Hacking
Mark Pritchard MP asked the Department for Business, Education and Skills to discuss with vehicle manufacturers improvements to in-vehicle technology to prevent vehicle hacking. Anna Soubry MP responded that government is actively engaging with the automotive industry to develop understanding and capability around the evolving cyber threats to vehicles. “It is important that vehicles are "secure by design" and government is working with industry to ensure the opportunities of these new technologies can be realised safely and securely.” The automotive will be considered as a part of the wider agenda on cyber security included in the newly announced National Cyber Security Centre.
STOP Terrorists’ & Extremists’ Online Presence
The National Counter Terrorism Security Office announced that on Friday 15 April 2016, a 36 hour period of extended activity will take place in the Counter Terrorism Intranet Referral Unit (CTIRU) as part of the STOP Terrorists & Extremists' Online Presence campaign. The campaign aims to protect young and vulnerable individuals from being targeted by other individuals with extreme views. The CTIRU has been removing terrorist and extremist material from the online space. In addition to this, they are trying to improve the situation by targeting communities and maintaining the strong relationship between the public and police. The Counter Terrorism Security Office set up an official channel for public to report online terrorist material. It has been reported that radicalisation of children and teenagers has been increasing since the growing lure of Syria and Isil. More information can be found on Prevent Tragedies.
Child Safety Online : Age Verification
Another initiative targeting child safety online is aimed at age verification for pornography. The collaboration of the Department for Culture, Media & Sport Department for Culture, Media & Sport, Department for Education, Government Equalities Office and Baroness Shields closed a consultation on 12 April 2016. The consultation seeks to find appropriate means to deliver the requirement of age verification for access to pornographic sites. The feedback is being now analysed and should be available soon. The consultation refers to data from ComScore indicating that 1.4 million visitors to adult sites were under-aged in May 2015. The government is trying to replace an easily circumventable check of simply asking the visitors to state their age (predominantly an issue with free sites).
However, there is an issue with territoriality that is not fully recognised in the consultation. The outcomes of the consultation will have impact on UK-based businesses; those operating outside may not comply. This situation would possibly result in further ISPs' orders to block these sites.
Previous attempts to regulate "have seen ISPs introduce internet filters, which have had mixed results. Some have been turned on by default, blocking adults from accessing pornographic material." Additionally, some sex education, charity and information sites were blocked as well due to the wrong labelling.
Other National Developments
Ad blocking on the Guardian
The Guardian announced they will be testing pop-up messages asking readers to switch off ad-blockers. The newspaper is considering preventing readers from accessing its content if use of ad-blocking software becomes widespread. The Guardian is following the lead of the German tabloid newspaper, Bild, which asked readers to switch off ad blockers or pay a monthly fee to use their website.
A German regional court, however, has ruled that the use of Adblock Plus on websites is legal. The reason behind this ruling is that there is no contractual agreement between publishers and visitors to their websites that would indicate they have agreed to view the served ads.
In the UK, City AM was the first newspaper to test the ban on ad-block using readers. It is likely more businesses will take up similar attitude towards ad blocking software since there is a vast array of sites that use online advertisement as their fundamental funding. Research shows that one fifth of people who have downloaded an ad blocker no longer use it because they are not able to access content. Culture Secretary John Whittingdale MP announced in March his intention to bring major publishers, social media groups and as-blocking companies to discuss the issue and the potential involvement of the government.
National surveillance camera strategy: outline document
The Surveillance Camera Commissioner published a strategy on how his office will approach developing the impact of the Surveillance Camera Code of Practice. The strategy is supposed to reassure public that surveillance cameras are put in place to protect them rather than to look at them. It will outline proportionate and transparent means to deliver the purpose of the strategy. The strategic plan will be put in place by March 2020. The Surveillance Camera Commissioner (SCC) will namely deliver the strategy through:
- ”Providing direction and leadership in the surveillance camera community with the aim of promoting best practice through compliance with the principles and guidance associated with POFA Code.”
- ”Promoting best practice in all sectors of surveillance camera operation, whether the operator is a relevant authority under a statutory duty to have regard to the POFA Code or is free to follow the Code on a voluntary basis.”
Publication of the strategy followed shortly after the SCC Tony Porter explained his position based on the same principles in a blog post. The SCC’s message mainly stresses transparency: “with surveillance cameras now a part of our everyday lives it’s important that people know why they are being monitored and are able to access information about systems.”
PNR Directive and General Data Protection Regulation both approved by the European Parliament
The European Parliament has successfully passed the General Data Protection Regulation (GDPR). The new data protection rules have been under negotiation for over four years. The reform will replace the current data protection directive with a general regulation designed to give citizens more control over their own private information. The new rules include provisions on:
- a right to erasure whereby people can ask for personal data about them to be erased
- "clear and affirmative consent" to the processing of private data by the person concerned,
- a right to transfer your data to another service provider,
- the right to know when your data has been hacked,
- ensuring that privacy policies are explained in clear and understandable language, and
- stronger enforcement and fines up to 4% of firms' total worldwide annual turnover, as a deterrent to breaking the rules.
The European Commission first vice-president Frans Timmermans; the vice-president in charge of the Digital Single Market Andrus Ansip; and the commissioner for justice, consumers and gender equality Věra Jourová released a joint statement about the GDPR.
“The new rules will ensure that the fundamental right to personal data protection is guaranteed for all. The GDPR will help stimulate the Digital Single Market in the EU by fostering trust in online services by consumers and legal certainty for businesses based on clear and uniform rules.” It is also expected that the legislation will enable smoother delivery of the Digital Single Market Strategy and will stimulate growth of the European Market value in general.
The new data protection rules also cover a directive on data transfers for policing and judicial purposes. Police and criminal justice authorities across Europe will be able to exchange information more smoothly. This is supposed to help prevent future terrorist attack. Member States will have two years to make the provisions into a national law. Due to UK and Ireland's special status regarding justice and home affairs legislation, the directive's provisions will only apply in these countries to a limited extent.
The same reasoning was behind the Passenger Name Records (PNR) Directive that was approved in the same plenary session. The Directive will the creation of databases containing personal information of everyone who travels across the European Union. It has been argued that this legislation will have a negative impact on people’s privacy and will enable data theft, misuse, abuse, and profiling. Passenger Name Records include such information as name and contact information, the date of the travel and complete itinerary, the form of payment, frequent flyer information, meal preferences and medical information, and in some cases they will include data on hotel bookings, car rentals, train journeys, travel associates, etc.
“In contrast, the GDPR sets an overall positive precedent for data protection standards across the EU. It provides a mostly harmonised, directly applicable set of rules to be uniformly enforced across the EU, which will benefit individuals and businesses alike. This legislation introduces the welcome concept of data protection by design and by default, the aim of which is to promote a privacy-friendly approach to the development of new services” said Estelle Massé from Access Now. The agreement on the PNR Directive contradicts the opinion of the Article 29 Data Protection Working Party, which expressed their concerns previously.
European Court of Justice Data Retention Hearing
The Court of Justice of the European Union (CJEU) held an emergency hearing that could have implications for the Investigatory Powers Bill, which is currently passing through Parliament. The CJEU examined the legality of Britain’s surveillance laws in conjunction with a Swedish case based on similar principles (Tele2 Sverige v Post- och telestyrelsen). The legal challenge was brought forward by Conservative David Davis MP and Labour Tom Watson MP. The CJEU has been asked to explain its April 2014 Judgment in a case brought by Digital Rights Ireland, which ruled blanket data retention severely interfered with rights to respect for private life and the protection of personal data. The Court also declared the European Data Retention Directive invalid. Shortly after the Digital Rights Ireland Judgment, the British government fast-tracked the Data Retention and Investigatory Powers Act (DRIPA) through Parliament that allowed for retention of personal communications data by Communication Service Providers (CSPs) in the UK. The High Court ruled that DRIPA was inconsistent with EU law. The Government appealed the High Court’s decision and the CJEU was called in to explain how the Digital Rights Ireland ruling should impact the UK. The future ruling will clarify whether blanket retention of and self-authorised access to communications data – records of emails, calls, texts and web activity – by police and other authorities breach people’s fundamental right to privacy and protection of personal data.
During the hearing, Open Rights Group, Privacy International and the Law Society made statements emphasizing the significance of this case on a global scale, its implications for privacy rights and lack of safeguards. Their statements were followed by Member States submissions starting with Sweden and the UK. Swedish submission was defending the necessity of data retention for effectiveness of rapid decisions and the general obligation to keep data for very important measures. The UK submission attempted to defend the stance of “we cannot know in advance what data is necessary and valuable”. According to the statement, data retention does not carry excessive level of intrusion because it is the commercial service providers who keep the data, not authorities. The UK continued to favour national security and stressed that it should be up to national courts to check that specific standards and requirements are met. Most of the following Member State submissions carried a similar message with some exceptions. Germany took a less rigid stance and focused on compatibility of data retention with fundamental rights. This notion was supported by Spain who do not see general data retention as an indispensable measure, and Finland who called for the same level of justification on both ends: retention and use.
Both Judge Thomas von Danwitz and the Advocate General Henrik Saugmandsgaard questioned the indispensability and scope of the general data retention. The Advocate General's opinion in Davis and Watson challenge (Tele2 Sverige and Ors) will be handed down on 19 July 2016. The outcome of the hearing will have an impact on the Investigatory Powers Bill because the IPB would extend the data that is retained by CSPs to include Internet Connection Records (described as records of browsing history). The IPB would also allow tge police and government departments to authorise internal access to this data. The Bill would fail to meet the criteria that independent courts/bodies should authorise access to data.
The Philippines Election Hack
The personal information of 55 million voters from the database of the Philippine Commission on Elections (COMELEC) has been exposed in one of the worst government data breaches across the world. Anonymous admitted they are behind the hack. “It’s believed Anonymous’ motivation was to persuade the commission to switch on security features in the vote counting machines ahead of national elections on 9 May.” The data since has been circulated on both the dark and clear web. The hack contains substantial amount of sensitive personal data, including the fingerprints of 15.8 million individuals and passport numbers and expiry dates of 1.3 million overseas voters. Speaking to media, Comelec said this week that no fingerprint, signature, or facial biometrics data had been exposed in the attacks.
According to security researchers at Trend Micro voters could be targeted in phishing or spear phishing attacks, BEC schemes, blackmail, extortion and more. It added that the incident highlights once again the need for organizations to classify, segregate and protect data based on its sensitivity – under the watchful eye of a data protection officer. The Filipino breach exceeds the US government’s Office of Personnel Management (OPM) hack last year that leaked personal identifiable information including fingerprints and social security numbers of 20 million US citizens. The number of records apparently spilled by the COMELEC leak also surpasses a periodically recycled Turkish data breach potentially affecting nearly 49 million Turks.
Apple v. FBI Saga
Apple said that it will not try to go to court to demand that the FBI informs them how they broke into the phone of San Bernardino shooter. Apple’s attorney confirmed that the company did not know how the authorities unlocked the phone but the security breach would be fixed shortly as Apple continues to strengthen its security. Apple stated that it is not clear why the hack would only work on 5C model running iOS9. The US government released an official policy earlier for determining when to disclose security vulnerabilities, the Vulnerabilities Equities Process (VEP). In this case, the FBI used a vulnerability to get into the iPhone, the VEP must apply and Apple must be informed of the vulnerability to maintain their users' security.
Despite the FBI being able to access the San Bernardino phone, the Justice Department told a federal judge that it would continue to pursue a court order demanding Apple extract data from a seized iPhone at the centre of a New York drug probe. The New York case differs from the San Bernardino case in several ways. “Apple was asked to build software to help the authorities unlock the iOS 9 device of suspected terrorist Syed Farook. The company said its security on that phone did not allow it to gain access, and that's why the feds wanted it to create new software to undermine the phone's security. Whereas in the New York case, Apple does have the ability to access the locked phone running iOS 7, but is refusing to do so. There have been cases of assisting the authorities in unlocking encrypted phones in the past but they decided against cooperation this time. Apple considers the government’s move to access the New York phone another attempt to set a legal precedent.
ORG Media Coverage
See ORG_Press_Coverage for full details.
- 2016-04-11-Glasgow University under fire for monitoring cleaning staff with 'dehumanising' fingerprint scanners
- Author: Peter Geoghegan and The Ferret
- Summary: Jim Killock quoted on how biometrics are a particularly intrusive kind of authentication at a workplace.
- 2016-04-11- Glasgow University spent £40k on fingerprint tracking for cleaners
- Author: Joe Stenson
- Summary: Jim Killock quoted on how biometrics are a particularly intrusive kind of authentication at a workplace.
- 2016-04-12-MP calls for limit on UK surveillance powers as EU test case opens
- Author: Owen Bowcott
- Summary: Jessica Simor QC, representing ORG, quoted on mass retention of data not being permissible under the EU’s e-privacy directive.
- 2016-04-12-ORG hopes for data collection clarification from CJEU
- Summary: Myles Jackman quoted on anticipating clarification of the ruling in the planned emergency hearing by the Court of Justice of the European Union (CJEU) that would impact the Investigatory Powers Bill.
- 2016-04-13- Cassetteboy's latest video is an amazing, danceable anti-Snoopers Charter mashup
- Author: Cory Doctorow
- Summary: Reference to the ORG’s petition to Theresa May regarding the Investigatory Powers Bill.