ORG policy update/2016-w22

This is ORG's Policy Update for the week beginning 30/05/2016.

If you are reading this online, you can also subscribe to the email version.

ORG's work

  • We've been busy planning events in London, Manchester and Bristol on 8 and 9 June. We will be screening the Scenes of Reason documentary 'The Haystack' with a Q&A in London and Bristol and a debate in Manchester afterwards. Make sure you book your place on Meetup London, Manchester or Bristol.

Official meetings

  • Jim Killock met with e-voting experts to discuss any serious proposals there might be for this technology, which ORG believes is very risky.



The IPBill is due to go through the Report stage next week on 6 and 7 June. The Third Reading of the Bill will take place right after the Report stage also on 7 June. All the amendments submitted up until now can be found here.

The Bill stages have been preceded by an announcement of concessions that Theresa May MP agreed on.

Home Secretary made concessions on the IPBill

The concessions made by Theresa May are a result of concerns raised by Labour, Liberal Democrat, SNP and backbench Tory critics. These will include:

  • the introduction of a new privacy clause - the clause makes it implicit that information should be gathered by less intrusive means where possible rather than by warrants and other authorisations.
  • protection for journalists – journalists' sources will only be identified after a consideration from the judicial commissioner. The commissioner will be able to justify their identification on the grounds of the overriding public interest.
  • the Wilson Doctrine – MPs' phones and computers can be hacked by law enforcement agencies only with an explicit approval from Prime Minister.
  • use and retention of bulk personal datasets and medical records – only data in exceptional and compelling cases will be retained.

Previously, the Home Secretary agreed to an independent review of the operational case for bulk personal data collection by the independent terror watchdog David Anderson.

Andy Burnham MP, last week in response to Theresa May MP setting up an independent review, said that Labour will require more changes in the Bill on the privacy clause, Internet Connection Records, judicial authorisation and modification of warrants, protection for sensitive professions and health records before they grant their support.

MPs' emails accessed by GCHQ

The Wilson Doctrine concession announced by Theresa May MP came right after it has been reported by Computer Weekly that the GCHQ routinely accesses emails of MPs, including their correspondence with their constituents.

They are able to do so because Parliament uses Microsoft's Office 365 software and the data leaves and comes back to the UK constantly through Microsoft's datacentres in Ireland and Netherlands. Files and data leave the UK and therefore are directly exposed to GCHQ's bulk interception program, Tempora.

For this particular reason, even the Wilson Doctrine will not be able to protect MPs from having their communications intercepted. All data leaving the country is subjected to the Tempora system.

Committee on Human Rights publishes an assessment of the IPBill

The Joint Committee on Human Rights (JCHR) published their assessment of the effect of the IPBill on human rights in a report. The Committee has approved the Bill but made sure to detail their concerns over several areas in the Bill.

“The Joint Committee on Human Rights welcomes the steps which the Bill takes towards providing a clear and transparent legal basis for the investigatory powers already used by the security and intelligence agencies and law enforcement authorities, and towards enhanced safeguards. But the Bill could be improved to enhance further the compatibility of the legal framework with human rights.”

The provisions specifically covered in the report are:

  • bulk powers- the JCHR does not find them incompatible with the right to privacy; however they recommend an independent review by David Anderson before the Bill completes its passage, and then every five years to establish whether there is a need for bulk powers.
  • thematic warrants – the Committee finds that provisions on targeted interceptions and equipment interference are too broadly defined and they need to ensure that they are sufficiently specific to identified an unknown person. Large numbers of people should not find themselves in the scopes of warrants.
  • confidential communications – interception of the communications of MPs currently in the Bill requires that the Prime Minister is consulted before a warrant can be issued. The Committee reported that consulting the Prime Minister is not a sufficient safeguard. The report suggests that

    “the Speaker or Presiding Officer of the relevant legislature should be given sufficient notice of the decision to interfere with such communications to enable them, if they so wish, to be heard before the Judicial Commissioner. As well as the House of Commons, this includes the House of Lords, the devolved legislatures and the European Parliament.”

The report also recommends that more safeguards are necessary to protect legal professional privilege. It is unnecessary for the Bill to target confidential communication between lawyers and clients. It has been suggested that these provisions are removed from the Bill.
The Committee has found that safeguards for journalists in the Bill are weaker than safeguards provided in other contexts.

“the Bill should provide the same level of protection for sources as currently exists in relation to search and seizure under PACE 1984, including an on notice hearing before a Judicial Commissioner, unless that would prejudice the investigation.”

Written question on drones

Richard Burden MP again submitted a written question to the Secretary of State for Transport regarding the policy on the regulation of drones to protect the public from their misuse.

Robert Goodwill MP referred back to his answers earlier this month regarding the same issue. He briefly stated that personal data collected from drones is protected by the Data Protection Act 1998 and that drone operators should refer to the Information Commissioner's Office for guidelines on proper conduct.

The Secretary of State also said in his response that the Government will be consulting on drones over the summer period. Any legislative adjustments on drone use will be implemented in the Modern Transport Bill.

The Bill was introduced in the Queen's Speech this year and aims to consolidate all existing legislation on drones and their use. It should bring clarity into who has control over the drone issue.

Other national developments

IMSI catchers used in prisons

The first official confirmation of use of IMSI catchers (stingray) by UK authorities came from the Scottish Prison Service (SPS). A Freedom of Information request was answered by documents showing that the SPS was using IMSI catchers at two locations – HMP Shotts and HMP Glenochil.

IMSI catchers make mobile devices in their proximity connect to them instead of an official base station. They allow for discovering of mobile device's location and are capable of blocking the connection. It appears stingrays are used in prisons to eliminate use of mobile phones on the premises rather than to listen to conversations since it is a criminal offence to use a mobile phone from prison.

The stingrays in Scotland were commissioned to block out 2G and 3G signals only, not affecting 4G signals. For this reason, the systems were implemented in the two rural areas. The report shows that HMP Edinburgh was also considered; however because of already setting up 4G network the site was dismissed. HMP Edinburgh is located within an urban area and with the use of the IMSI catchers mobile users in the whole urban area would be affected, not just in the prison.

This is the first time it has been publicly admitted by one of the UK authorities that they use IMSI catchers. The UK police is well known for their use of stingrays but refuses to give any information to the public on the matter. Despite the SPS attempts to be transparent, the disclosure brings more issues to the surface. The SPS failed to consider full implications of their use of stingrays on the wider public that might just happen to be in the prison's proximity. The use of stingrays lacks any regulation that would limit data retention. In order to bring full transparency on the use of IMSI catchers, it is necessary to create a set of rules that would regulate conduct by authorities.


Online terrorism and hate speech Code of Conduct for tech companies

The European Commission announced voluntary code of conduct to tackle illegal online hate speech. The code was negotiated with big tech companies – Facebook, Twitter, Google, Microsoft, but with a limited input from civil society groups.

The initiative to create a code of conduct was started in 2015 by setting up the EU Internet Forum to counter terrorist activity and hate speech online. Predominantly US-based tech companies were consulted in the discussions. Civil society opinion was sought regarding terrorism, but these organisations had no input in discussions on hate speech.

The announcement has been met with a of criticism for a very vague definition of 'hate speech'. EDRi and Access Now expressed their disagreement with tech companies being responsible for policing the online hate speech crimes and criticised the Commission for leaving them out from the talks leading up to it. Both organisations announced in a joint statement that they will not take part in any future discussion in the EU Internet Forum.

EDRi points out what exactly makes the code of conduct undemocratic and unaccountable:

  • an explicit statement that companies will “take the lead” in policing controversial speech online, which means that law enforcement authorities will not be taking the lead;
  • an undertaking that IT companies will ban content that should already be legally banned;
  • an undertaking to review notifications against company terms of service first and then, “if necessary” to review them against the law. In practice, this means that the legal procedures for testing the legality of content against the law will never be used as the code of conduct asks for illegal content to be banned by terms of service.

The complaints have been taken up by the European Ombudsman who will be looking into why the two biggest digital rights groups in the EU were left out of the discussions.

Opinion of data protection watchdog on the Privacy Shield

As announced last week, Giovanni Buttarelli, the European Data Protection Supervisor (EDPS), released his opinion on the draft Privacy Shield agreement.

Buttarelli said:

“the Privacy Shield as it stands is not robust enough to withstand future legal scrutiny before the Court. Significant improvements are needed should the European Commission wish to adopt an adequacy decision… .”

He paid detailed attention to six exceptions (terrorism, espionage, cybersecurity, transnational crime, weapons of mass destruction or threats to the US military) under US law that let authorities to collect bulk personal data. There has been an exchange between several MEPs asking for tighter definitions that would limit the bulk collection but the European Parliament only received a response from US government officials that these exceptions cannot be considered as too broad.

The opinion of the EDPS is not binding, however it puts even more pressure on the European Commission to increase the level of data protection for EU citizens. Last week the Members of European Parliament approved a resolution stating that the Privacy Shield proposals were in need of more work.

The Article 31 group, currently working on the Privacy Shield proposals, should make their decision by the end of June on whether to approve the deal so it could go into effect.

Facebook data transfers referred to the CJEU

The Irish Data Protection Commissioner (IDPC) said last week it would refer Facebook's data transfer practices to the European Court of Justice (CJEU). Since the Save Harbour agreement was struck down by the CJEU, tech companies operating within the European Union have been following data transfer rules outlined in their “model contracts”. The IDPC is asking the Court to determine the validity of Facebook's model contracts.

Ruling of the Court could have serious implications for other tech companies sending their data outside the EU. The model contracts are not likely to hold up in the Court, taking into consideration that the Safe Harbour agreement was abandoned and the new Privacy Shield deal is facing objections from various EU bodies as well as civil society.

No regulation for blockchain tech for now

The European Parliament voted last week to wait before creating legislation for blockchain technology. The MEPs suggested that this would be the best approach for a technology that is still merely in its infancy. A report by MEP Jakob von Weizsäcker recommended the European Commission sets up a task force to follow development of blockchain technology so it could regulation could be put in place when necessary. The Commission plans to set up a general fintech task force instead.

International developments

Iran requires messaging apps to store data in the country

Foreign messaging apps in Iran have been given one year by the Iran's Supreme Council of Cyberspace to move all the data about Iranian users to servers located in the country. The Supreme Council said that

"Foreign messaging companies active in the country are required to transfer all data and activity linked to Iranian citizens into the country in order to ensure their continued activity."

The measures were based on the "guidelines and concerns of the supreme leader" Ayatollah Ali Khamenei.

Iran already restricts access to social media platforms (Facebook, Twitter) as a part of its strict internet access controls. The new rule will predominantly affect WhatsApp and Telegram being the two most popular messaging services in the country. Just Telegram alone has 20 million users in Iran. Its popularity is ascribed to an end-to-end encrypted communication option.

End-to-end encryption might bring more problems for Telegram and WhatsApp. The apps would not be able to provide contents of conversations to the Iranian agencies because they do not have access to them. That can lead to the Iranian government putting a new measure in requiring building of backdoors into their software. If the companies decide not to comply, they would be forced to withdraw their service from the country. Either way, Iranian users would end up being deprived of a free speech tool.

China enforces real-name registration

China has been trying to make people register their real name when getting their phones. The newest strategy says that people who have not registered their SIM cards to their names yet will need to do so by June next year. Otherwise they might be disconnected from their mobile service.

China has been pressuring an increasing number of tech companies to require a real name and a phone number when signing up for their services. Officially, the rule is supposed to help prevent crime. However, it is clear that being provided with real names, the Chinese government will find it easier to conduct surveillance and censorship.

ORG media coverage

See ORG Press Coverage for full details.

2016-05-27-Web Inventor Criticises Government Plans for "Snooper's Charter"
Author: James O Malley
Summary: Jim Killock quoted on being pleased Tim Berners-Lee voiced concerns about the IPBill.
2016-05-27-PR Newswire-IPVanish Announces "Secure Sessions," First Ever VPN Podcast
Summary: Jim Killock gave an interview for a podcastregarding Rule 41, CISA and legislation on encryption.
2016-05-31-Breitbart-EXCLUSIVE: Major Liberal Orgs Slam Facebook-EU Plans To Block Free Speech
Author: Raheem Kassam
Summary: Jim Killock quoted on hate speech being tackled by law enforcement agencies rather than commercial companies.
2016-06-02-TMN Quarterly-The Great Personal Data Swindle
Author: Ken Wieland
Summary: Javier Ruiz quoted on the mobile data report findings.

ORG Contact Details

Staff page