ORG policy update/2016-w24

This is ORG's Policy Update for the week beginning 13/06/2016.

If you are reading this online, you can also subscribe to the email version.

ORG's work

  • ORG submitted a response to the consultation on EU copyright issues this Wednesday. We organised a campaign to Save Freedom of Panorama that served as evidence submitted to the European Commission. Thank you if you submitted your photos.
  • We have been tirelessly working on amendments for the IPBill to be submitted in the next stage in the House of Lords. We will be updating you on our progress soon.
  • ORG is preparing a workshop for people to learn to assess privacy threats they face day-to-day and protect themselves. Our campaigns officer Ed Johnson-Williams will be leading the workshop. You can find more information and register here.

Official meetings

  • Jim Killock appeared on the panel of a Privacy Lab organised by the Mozilla Policy team together with Caroline Wilson-Palow from Privacy International on Monday.

Parliament

IPBill

The IPBill entered the House of Lords last week and is currently on its way to the Second Reading. The Second Reading will be held on 27 June.

Following the debate during the Report stage and Third Reading, Keir Starmer and John Hayes MP published their letters to each other (Keir Starmer's letter, John Hayes' letter), as promised, to make their discussion on terms of reference for the independent review of bulk powers by David Anderson QC available to other MPs and the public.

After the last week's vote in the House of Commons (444 aye, 69 nay), some amendments were accepted and got on the face of the Bill. The most notable concessions include general duties in relation to privacy, modifications to interception and equipment interference warrants, health records, approval of national security and technical capability notices by Judicial Commissioners notices by Judicial Commissioners, extra safeguards for MPs, trade unionists, journalists and civil liability for certain unlawful interceptions. Javier Ruiz explains them in more detail in a blog here.

The IPBill is now in the hands of of Lords who will be scrutinising it further and, hopefully, will amend the outstanding issues. It is more likely the Bill will see increased amount of successful amendments as suggested by experts and civil society groups throughout the process in the Commons.

In the meantime, the Bill is still being subjected to criticism from various sides. Alan Rusbridger, former Guardian editor, criticised the Bill in regards to its provisions on protection of journalists and their sources:

“If we don’t put it on front pages and push back as hard as we can as this bill goes through Parliament we are going to betray generations of journalists, because journalism involving confidential sources is going to be very difficult indeed.”

The Bill in its current form offers very vague protections for journalists that can be easily overridden by by a claim for public interest. The National Union of Journalists is trying to get journalistic source protection to be woven throughout the Bill.

Further reports emerged this week of how the GCHQ created specific programs to collect information on people's communications, movements and use of social media that were made available to the Scottish police. The Scottish Recording Centre (SRC) was given access to a classified project MILKWHITE. The report is a result of newly released classified documents by Edward Snowden. The Snowden leaked documents were the initial push to fast track the Investigatory Powers Bill through Parliament to legitimise powers used by intelligence agencies in the UK.

Even if the Bill gets passed through the House of Lords, it can still be significantly impacted by a ruling in the Davis and Watson case in the European Court of Justice. The ruling will likely have an impact on data retention and the Request Filter.

Written question on electronic surveillance

Baroness Jones of Moulsecoomb asked the Government why the Investigatory Powers Bill limits judicial scrutiny to judicial review principles if both ministerial and judicial authorisation for warrants are required.

Lord Ahmad of Wimbledon responded that the Committee were satisfied with the use of judicial review principles. The Judicial Commissioner would have considerable flexibility in reviewing decisions to authorise the use of investigatory powers. When carrying the review of the decision to issue the warrant , the Commissioner will do with sufficient amount of care.

Oral Question on a British Bill of Rights

Margaret Ferrier (SNP) asked when the Department of Justice plans to publish its consultation on a British Bill of Rights.

Dominic Raab MP, the Parliamentary Under-Secretary of State for Justice, responded that they will be reporting on the review in due course.

Margaret Ferrier followed up with a question whether the plans to repeal the Human Rights Act have been shelved since the Government amended the Investigatory Powers Bill last week to put a duty on public authorities to have regard to the requirements of the Human Rights Act.

Dominic Raab MP responded that the Human Rights Act will definitely be replaced by a British Bill of Rights.

Question on cybercrime insurance

Adam Afriyie MP asked the Secretary of State from Culture, Media and Sport what has his department been doing to spread awareness of cyber security insurance amongst businesses.

Ed Vaizey MP, Minister of State for Culture and the Digital Economy, responded that the Government published details of the joint initiative between them and the insurance sector to tackle cyber risk in March 2015.

Question on Digital Single Market

Stephen Timms MP asked the Department for Culture, Media and Sport what assessment has been made of the potential benefits for the UK digital economy brought by the EU Digital Single Market. He expanded his question into asking whether the Minister of State for Culture and Digital Economy will attempt to persuade the Secretary of State it would be damaging for digital jobs in the UK if the UK left the EU.

Ed Vaizey MP responded that the Digital Single Market strategy will increase GDP for Europe by 3%. He acknowledges that the UK tech and digital companies benefit from membership in the EU.

David Nuttall MP asked the Minister on his stance on the “stifling nature” of EU rules for the internet. Ed Vaizey MP made clear that the Brussels bureaucracy is not stifling. The EU regulations stimulated existence of 500 broadcast companies in the UK.

Other national developments

New Biometrics Commissioner

New Biometrics Commissioner Professor Paul Wiles has been appointed to replace Alastair McGregor QC. McGregor has completed his three year tenure.

“Professor Wiles has spent much of his career as an academic criminologist at a number of UK universities and is currently a governor at Sheffield Hallam University and a trustee of the National Centre for Social Research. Until 2015 he was an adviser to the Sentencing Council, and has also worked as a local government boundary commissioner and sat on the board of the Food Standards Agency. Between 1999 and 2010 he was the Chief Scientific Adviser to the Home Office providing independent advice to ministers on scientific evidence and the analysis and interpretation of data.”

Tesco Mobile gives £3 discount for viewing ads

Tesco Mobile introduced a new scheme that will give people a discount on their mobile bill. Contrasting the Three's approach of network-level ad blocking, the mobile operator is offering £3 off monthly bills if the customers download an app that will show extra ads every few times they unlock their phone. Together with money off, Tesco Mobile will increase people's data allowance by 200 MB to cover any data used by the ads.

Qualifying for the discount has very specific rules in place. The customers must view ads or other marketing content on at least 21 days out of every month.

The app has been developed with Australian mobile advertising platform Unlockd. Use of this app for customers can have serious privacy implications. Ed Johnson-Williams explores them in a blog.

Unlockd's privacy policy states they will:

  • collect customers' location data to serve tailored adverts
  • create 'anonymous' data records of customers' personal data and use them "for any purpose"
  • transfer customers' personal data to the USA, the UAE, and India and process it there.

The use of the app can possibly reveal sensitive location data, puts people at risk of having their data records de-anonymised, transfers and processes personal data abroad and has implications for a widening digital security divide.

Three UK tries network ad blocking

As announced earlier in May by Three, the mobile network ran its network-level ad blocking trial on 15 June. The trial lasted 24 hours and affected ads on both mobile websites and apps.

Three said the ad blocking trial will only apply to some accounts. They also admitted that some ads might still be able to get through to customers. The mobile operator acknowledged some formatting issues where the ads were missing. Following the trial, Three will be getting in touch with some of their users for feedback. It is expected to take several months before the network decides whether to block ads on the entire network.

Previously Three explained their reasons behind the network-level ad blocking trial:

  • That customers should not pay data charges to receive adverts. These should be costs borne by the advertiser.
  • That customers’ privacy and security must be fully protected. Some advertisers use mobile ads to extract and exploit data about customers without their knowledge or consent.
  • That customers should be entitled to receive advertising that is relevant and interesting to them, and not to have their data experience in mobile degraded by excessive, intrusive, unwanted or irrelevant adverts.

Europe

Privacy Shield getting finalised

There has been an update on the progress regarding the new Privacy Shield deal. The US and the European Commission officials met on Wednesday to discuss the text. The European Commissioner for Justice Vera Jourova said she was expecting to have the text of the deal finalised by the end of this week or alternatively early next week. Members of the Working Group 31 will have two weeks to examine the text.

The deal is supposed to be voted on by the Working Group 31 consisting of national representatives on 29 June. The Working Group could not agree on the terms of Privacy Shield requested by the US previously and the text was sent back for further discussions. This time, the Commissioner is expecting a unanimous vote in favour of the Privacy Shield.

If the revised deal is passed by the Working Group 31, it will be further subjected to a vote in the European Commission on 5 July. If adopted by the Commission, the agreement will come into force in the EU jurisdiction immediately to replace revoked Safe Harbour agreement that was struck down earlier by the European Court of Justice.

Even if the deal is approved by the European Commission, it can still be referred to the European Court of Justice if the previous concerns stemming from the Safe Harbour judgment have not been satisfactorily tackled.

Max Schrems hearing in Dublin

The US government has requested to be one of the parties involved in the Irish High Court case between Max Schrems and Facebook. The case started by Schrems filing an official complaint against the companies accused of leaking personal information to the NSA, exposed by Edward Snowden, on the grounds of misuse of his personal data.

The amicus curiae (friend of the court) request documents have not been filed yet but the US government has until 22 June to submit them. Schrems is of the opinion that the US government is trying to defend their surveillance laws in the European Courts. Currently, there is no framework in place regulating transfers of personal data between EU and US after the European Court of Justice (ECJ) struck down the Safe Harbour agreement and there has not been an agreement on the new Privacy Shield deal.

Other organisations submitted their requests to be joined - the American Chamber of Commerce, Business Software Alliance, and the Irish Business and Employers Confederation. These organisations use the same legal basis to transfer data to the US as Facebook.

The Irish Data Protection Commissioner Helen Dixon wants the Commercial Court to refer key issues for determination by the European Court of Justice (ECJ) before her office would make a decision on the Schrems' complaint. The case is being fast-tracked and the hearing date was set on 27 June.

International developments

Poland tightens anti-terrorism surveillance law

The ruling conservative party in Poland passed a new counterterrorism law limiting freedom of assembly in vaguely phrased crisis situations and allowing for the surveillance and detention of foreign citizens.

The law will give mandate to the Internal Security Agency to block websites considered a threat to national security and to let the police to disable all telecommunications. In addition, intelligence agencies will gain access to key data on Polish citizens without a prior approval by a court. The institutions affected by data collection are not going to be informed about the actions of intelligence agencies, according to the bill.

The bill is blurring the line between telecommunications shutdowns being a security tool or digital repression. It follows a string of laws that have vague phrasing, lack of public consultation, no democratic safeguards and quick adoption. The Polish counter-terrorism law is likely to be inspired by a similar one passed in Hungary in 2011 that gave the government powers of covert surveillance with minimal judicial oversight.

Ireland expands surveillance on its citizens

The Irish Garda Síochána has introduced proposals to expand its surveillance equipment and capabilities to collect data on Irish citizens. The new initiative is part of five-year programme to modernise the police.

The programme will expand the use of surveillance technologies, such as CCTV and the Automated Number Plate Recognition (ANPR) technology. Furthermore, it will introduce biometric technologies – facial and body-in-a-crowd recognition to identify criminal targets.

Facial recognition technology has faced several objections from the Data Protection Commissioner (DPC) in Ireland when the DPC dealt with complaints against Facebook's use of facial recognition technology. The technology was eventually disabled for EU users of Facebook.

The five-year programme of of surveillance update will have to comply with the ruling of the European Court of Justice in the Digital Rights Ireland case dealing with data retention practices.

Win for net neutrality in the US

The US broadband companies have lost their lawsuit on net neutrality rules this week. The Federal Communications Commission's net neutrality rules will remain intact for now after the US Court of Appeal did not find their claims based on the First Amendment satisfactory. The judges' decision said:
“Because a broadband provider does not—and is not understood by users to—'speak' when providing neutral access to Internet content as common carriage, the First Amendment poses no bar to the open Internet rules.”

One of the internet service providers involved in the case, AT&T, made it clear they are going to appeal the Court's decision. The issue will then be decided by the Supreme Court. AT&T together with other broadband providers and their associations claim that the FCC does not have statutory authority to reclassify broadband as a telecommunications service. The petitioners, on the other hand, label internet service an “information service”.

The decision allows the FCC to enforce net neutrality rules against blocking and paid prioritisation and to regulate fixed and mobile broadband providers. The strict net neutrality rules are a followup of their much weaker version that got challenged in courts by mobile phone company Verizon. The weaker net neutrality rules did not reclassify internet providers as common carriers. After Verizon sued to overturn the weaker rules, won the case but at the same time created a base for the strict rules.

The stricter net neutrality rules are considered a victory for consumers, innovators and entrepreneurs.

US authorities won't be getting access to metadata

After the last week's vote on amendments to the Electronic Communications Privacy Act of 2015 (ECPA), intelligence agencies will not be getting warrantless access to to any email that has been read or is more than 180 days old.

The sponsors of the Bill announced they are not ready to let the it go forward due to an amendment tackling National Security Letters (NSLs). (The NSLs demand personal information in terrorism and espionage investigations. They can be routinely issued to banks, ISPs, car dealers, insurance companies etc. The letters do not require judge's approval, nor showing of probable cause.) They stopped the Bill on the grounds of breaching privacy of US citizens. The amendment would make it possible for NSLs to request metadata information.

The Bill has been shelved for the time being until an agreement is reached on the NSL amendment.

ORG media coverage

See ORG Press Coverage for full details.

2016-06-11-A Plus-Watch People's Reactions When They Realize There Is Nothing Private About This London Bathroom
Author: Steven Lerner
Summary: Jim Killock quoted on the reasons behind creating “A very public toilet” video.
2016-06-11-The National-US whistleblower Snowden reveals GCHQ spy programme with secret link to Scottish police
Author: Michael Gray
Summary: ORG Scotland quoted on concerns with MILKWHITE and the SRC projects.
2016-06-14-Computing-Snooper's Charter will extend GCHQ's surveillance powers to all levels of law enforcement, say campaigners
Author: John Leonard
Summary: Jim Killock quoted on threats to society from using the Request Filter.
2016-06-14-The Inquirer-Mozilla: Snoopers' Charter will give police GCHQ-level surveillance powers
Author: John Leonard
Summary: Jim Killock quoted on threats to society from using the Request Filter.
2016-06-16-Telecompaper-ORG warns against Tesco Mobile discount offer
Summary: ORG mentioned in connection to Tesco Mobile discount offer for viewing ads and its implication on people's privacy.

ORG Contact Details

Staff page