ORG policy update/2016-w25

This is ORG's Policy Update for the week beginning 20/06/2016.

If you are reading this online, you can also subscribe to the email version.

A note on the EU Referendum

We prepared nearly all of this policy update before the EU referendum result this morning. It is still unclear how the UK's decision to leave the EU and David Cameron's decision to resign as Prime Minister will affect the issues dealt with in this update, ORG's ongoing work, and digital rights in general. It will take us some time to fully assess the impact.

ORG's work

• We have been working on our response to the European Commission's E-Privacy review consultation that covers mobile data tracking and cookies consent
• This week we put together an IPBill briefing for the members of the House of Lords to anticipate the Bill's Second Reading. ORG has also been developing more amendments for the IPBill.
• We held our first threat modelling workshop, led by Ed Johnson-Williams, to help people understand everyday cyber security threats. We are planning to organise more workshops in the future. You can keep up-to-date with our events on Meetup.
• ORG Birmingham has been preparing to screen the Haystack documentary by Scenes of Reason in Birmingham on 4 July. If you are around, you can sign up here!

Official meetings

• Jim Killock attended a meeting with Ofcom representatives to discuss website blocking aspects of net neutrality.
• Javier Ruiz and Jim Killock attended a meeting at the Cabinet Office regarding data sharing in the UK.

Parliament

IPBill

The IPBill will be debated in the Lords next Monday 27 June. The Liberal Democrats are planning a thorough scrutiny of the Bill in the House of Lords. Lord Paddick said

“The experience with legislation is that is goes through the House of Commons very quickly and is only considered in detail in the House of Lords.”

The Lords have been receiving briefings from different parties prior to the Second Reading. The National Union of Journalists made their briefing available to public. They point out the Bill still needs to improve the safeguards for whistleblowers and journalistic sources. The Lords also received reports from the Government making the operational case for bulk powers and comparing the internet connection records in the IPBill to the Danish internet session logging legislation.

The final vote on the Bill in the House of Commons (444:69) still left several holes to be patched up. It has been pointed out by the Information Commissioner's Office in a report on TalkTalk data breach that the IPBill is going too far and will increase the risk of further data breaches (read more below).

The areas of the IPBill that are expected to be scrutinised by the Lords cover: internet connection records, bulk powers, journalistic protections, equipment interference and authorisation of warrants.

The EU referendum result will definitely affect the IPBill. David Cameron, the Prime Minister, has said that the Conservative party should aim to have a new leader in place as Prime Minister by October. This entails a leadership contest and possibly a General Election. It is very unclear how the IPBill will progress in this situation. The Government has been aiming to pass the IPBill before the sunset clause on DRIPA kicks in at the end of 2016. It is possible that the Bill will be passed into law by that date. It is also possible that the sunset clause could be extended.

Talk Talk leak report

The Department for Culture, Media and Sport published a report on the circumstances surrounding the TalkTalk data breach in November 2015. The attack raised concerns that the personal details of over four million customers had been hacked and made public. This report looked into the wider implications for telecoms and internet service providers.

The report focused specifically on the IPBill and its potential impact on any future data breaches. The Information Commissioner's Office warned, during their oral evidence session, that the Bill could be a source of vulnerabilities because it will enforce the storage of huge pools of personal data. This could lead to more personal data breaches, causing a “haystack of potential problems”. In regards to the IPBill, the report states that

“The vulnerability of additional pooled data is an important concern that needs to be addressed urgently by the Government. Part of the response could be to require enhanced security requirements and background checks for those with access to large pools of personal data. Data controllers should seek to control and limit access to such pooled data.”

The Department is still awaiting a statement from the ICO following their investigations into the TalkTalk breach but recommendations made in the report include:

• increase consumer awareness of online and telephone scams

• the lack of attention to threats and vulnerabilities should be punished by escalating fines regulated by the ICO

• major companies likely to be subjected to cyber attacks should have a specific person responsible for cyber security who will be fully accountable and sanctioned in case of a threat

• means of getting compensation for consumers who have been the victim of a data breach should be made easier

• the ICO should introduce an incentive structure that inhibits delays in reporting breaches

Other national developments

National Digital Conference

The Minister for Cabinet Office Matthew Hancock MP introduced the digital transformation of government to the audience of the 11th National Digital Conference.

Hancock presented the Government's approach to digital transformation. Their approach can be summed up into these three points:

• start small then scale up

• treat tech as the means rather than the end

• treat data as a public service in its own right rather than an afterthought

The initiative is trying to increase the numbers of tech-savvy professionals working across government by giving opportunity to 100 graduates involved in Digital and Technology Fast Stream. Additionally, the government plans on improving the skills, tools and vocabulary of more senior civil servants to facilitate the transformation.

The government is aiming to improve the delivery of public services through digital transformation. As outlined in the Digital Economy Bill, the government departments will increase the level of information they share and hope to effectively reduce fraud and improve the statistics used by departments. This is a part of a government data sharing regulation Open Rights Group has been consulting on.

Europe

Privacy Shield

The European Commission announced last week the Privacy Shield agreement would be finalised by this Wednesday. The public has not been presented with the actual deal but reports claim it is still scheduled to be published in early July, when it is meant to be voted on by the Commission.

EU Justice Commissioner Vera Jourova confirmed that the most controversial issues had been agreed by both sides. She said that:

“We reached an accord on more precise listing of cases when bulk collection can occur and a better definition of how our American partners understand the difference between bulk collection which may be justified and mass surveillance without any purpose, which is not tolerable”.

Contrary to the Commissioner's optimism, it has been reported that members of Article 31 Working Group have not seen the final text of Privacy Shield. More meetings have been scheduled for 29 June and 4 July. The working groups intends to use the full two weeks they have at their disposal to scrutinise the text of the deal. That could lead to further delays. However, Andrus Ansip, Vice President for Digital Single Market, remains hopeful the agreement will be finalised by the end of July. His meeting with the US secretary for commerce Penny Pritzker convinced him that progress is being made.

Even if the Privacy Shield deal passes, it is likely to only last a couple of years. The agreement will still be susceptible to legal challenges similar to the one brought forward by Max Schrems against Facebook which shot down the Safe Harbour, the predecessor of Privacy Shield.

Web content blocking anti-terrorism law

The European Parliament was due to vote on a controversial anti-terrorism law this week that would affect online content blocking. However, the vote was postponed to 27 June.

The draft of the directive proposes to block websites promoting terror attacks. It will give power to member states to use all necessary measures to remove or block access to webpages publicly inciting to commit terrorist attacks. Removing or blocking access to online content is supposed to be a subject to full judicial oversight.

The proposal has been criticised by the digital rights activists for lack of clarity. The law would not require safeguards for proportionality to be mandatory if governments prefer to leave the enforcement of the law to voluntary schemes (arranged by service providers).

The UK digital industry and service providers have a strong record of self-regulation that previously resulted in over-blocking content especially in connection to pornography, alcohol and hate speech. The proposal would not improve the current situation. It would reinforce the current state that, according to the Council of Europe report, favors protecting the ISPs from liability rather than freedom of expression.

Snowden invited to give evidence on protection of whistleblowers

The European Commission has launched a public consultation on media pluralism and democracy. The consultation is tackling media freedom, censorship, free speech, hate speech, democracy and fundamental rights. The consultation is running for eight weeks, closing on 14 July.

In their call to submit responses, the Committee, among others, invited Edward Snowden to respond to the question on the best practices for protecting the confidentiality of journalistic sources and whistleblowers.

This issue is being discussed in the UK at the moment in relation to the Investigatory Powers Bill. It has been pointed by the National Union of Journalists and other parties that the Bill does not offer sufficient safeguards for journalistic sources. This consultation offers an opportunity for people to raise concerns about the IPBill.

International development

Backdoors in Russia

The Russian lower legislative house has proposed mandatory backdoors for encryption in all messaging apps in the country. The proposal will enable the Federal Security Service to obtain special access to all communication within the country.

Such services like WhatsApp, Viber and Telegram are especially being targeted because of encryption of messages going through. The law was already approved by the Russian Committee on Security. The whole proposal is supposed to tackle “brainwashing” of teenagers in closed groups on the internet, according to Russian Senator Yelena Mizulina.

ORG media coverage

See ORG Press Coverage for full details.

2016-06-23-IT Pro-US Senate defeats Snooper's Charter analogue

Author: Jane McCallion

Summary: Jim Killock quoted on the scope of government and intelligence agencies' access to personal data of UK citizens.

ORG Contact Details

Staff page

• Jim Killock, Executive Director
• Javier Ruiz, Policy
• Ed Johnson-Williams, Campaigns
• Pam Cowburn, Communications
• Lee Maguire, Tech
• Myles Jackman, Legal Director
• Margarida Silva, Supporter Officer