ORG policy update/2016-w30

This is ORG's Policy Update for the week beginning 25/07/2016.

If you are reading this online, you can also subscribe to the email version.

The Policy Update will take a short break in August and will be back the week of 22 August.

ORG's work

  • ORG has been finalising our soon-to-be-published birthday book.
  • We have been prepping for a cross-industry meeting on post-Brexit strategies taking place this week.

Official meetings

  • Jim Killock and Myles Jackman attended a meeting at the Intellectual Property Office to discuss ORG's concerns about the 10-year prison sentence for copyright infringement.



The IPBill's passage through the House of Lords is taking a break for the summer recess and will be back in September. The next Committee sitting will take place on 5 September with a follow-up sitting on 7 September.

The Lords will discuss provisions on bulk powers after the summer recess after David Anderson submits his independent review on the topic. You can find a brief summary of what happened at the latest Committee sitting in the House of Lords on ORG's blog.

In the meantime, the Press Gazette started a petition addressed to the Home Secretary Amber Rudd MP on protection of journalistic sources and whistleblowers in the IPBill. You can find the petition here.

Question on data protection

Chi Onwurah MP asked the Secretary of State for Culture, Media and Sport, what assessment has been made of of the potential effect of tracking if digital devices through Wifi and Bluetooth on consumer rights and privacy.

Matthew Hancock MP, the Minister for Culture, Media and Sport, responded without referring to the two technologies mentioned in the question. Hancock responded saying that the Information Commissioner's Office has produced guidance on privacy on mobile apps. Under the Data Protection Act owners should be informed how their data will be handled.

Question on online abuse on social media

Anna Turley asked the Secretary of State what steps is the Home Department taking to tackle online abuse on social media.

Sarah Newton MP responded that the police now have longer to investigate offence and the maximum penalty has been increased to two years imprisonment under the Criminal Justice Act 2015.

The Department has introduced a new law making 'revenge porn' a criminal offence. The Home Office allocated further funds to set up a comprehensive programme of digital transformation across policing.

The Home Office is also working with College of Policing to improve investigation and prosecution of online Violence against Women and Girls offences. And with UK Council for Child Internet Safety to keep children and young people safe online.

Written question on digital capabilities of charities

Tom Watson MP submitted a written question to the Secretary of State for Culture, Media and Sport, what steps are planned to help charities improve their digital capabilities.

Rob Wilson MP, the Parliamentary Under-Secretary for Culture, Media and Sport, responded that government is committed to supporting the voluntary sector and currently does so through the Local Sustainability Fund which subsidizes small to medium sized organisations to secure and enhance their services.

Government is also trying to tackle digital exclusion by increasing basic digital skills and Internet use for individuals and organisations.

Written question on Internet bullying

Anna Turley MP submitted a written question to the Secretary of State for Justice, if plans to consolidate existing legislation on online abuse and malicious communication will be brought forward.

Oliver Heald MP, the Minister of Justice, responded that the Government believes current legislation is sufficient and does not intend to consolidate existing legislation on online abuse and malicious communication.

Written question on biometrics and police

Lord Scriven submitted a written question to the Government, asking what legislation currently governs the retention of facial custody images.

Baroness Williams of Trafford responded that the use and retention of facial custody images is governed by the Code of Practice on the Management of Police information, guidance in the College of Policing's Authorised Police Practice and the Data Protection Act 1998.

Other national developments

Privacy International reveal secret documents on MI5

Privacy International released new series of documents related to their Bulk Personal Datasets challenge in the Investigatory Powers Tribunal started in 2015. The legal challenge was filed to ask whether the acquisition, use, retention, disclosure, storage and deletion of Bulk Personal Datasets is in accordance with the law and necessary and proportionate.

The newest letters show the head of MI5, Andrew Parker, complaining to the then-Home Secretary, Theresa May, that the non-statutory requirement recommended by the Intelligence and Security Committee and the Independent Reviewer of Terrorism Legislation, David Anderson, risks the agency's response to security threats.

More of the released documents depict MI5 getting repeatedly warned by the Interception of Communications Commissioner's Office (IOCCO) that it was breaching a code of practice on data collection. MI5 has been ignoring a requirement for appointing a designated person independent of an investigation to authorise data collection.

IOCCO reported that MI5 implemented independent oversight of data collection from doctors and lawyers with access to privileged or confidential information; however it later became obvious that line managers were not independent from the operations.

The letters show several instances when MI5 resisted to comply with IOCCO's recommendations on the grounds of
“adding a non-trivial amount of administrative burden into our system, at the same time as we work to increase assurance levels against a very high tempo of threat.”

Overall, the security services show the lack of separation between investigative teams and those who authorise operations.

Spying on high-profile people

More documents also showed how security services spied on 20 high-profile people in operations that were unjustified.

Privacy International said
“Obtaining the factual background to the use and misuse of bulk communications data has resembled a drip experiment. It was only after several rounds of requests for further information by Privacy International that it was revealed that amongst the instances of misuse of communications data, there were a number of unjustified searches for high-profile individuals.”

Lauri Love's last extradition hearing

Lauri Love, who was accused of allegedly being involved in the hack targeting the US Army, the Federal Reserve, the FBI, NASA and the Missile Defense Agency, earlier this week in the last hearing that will decide whether he will be extradited to the US. The decision by the Court will be announced 16 September. In the meantime, Love remains on bail.

Love would face a sentence of 99 years in prison in the US for hacking as part of the Anonymous Collective in 2013 . He was diagnosed with Asperger Syndrome and depression. The defence previously argued that Love's condition makes him vulnerable and likely to commit a suicide in the US prison system known for poor mental health issues management. Instead, he should face trial in the UK.

His case is similar to that of Gary McKinnon who was accused of illegally accessing US Department of Defense servers. McKinnon faced extradition to the US that was eventually blocked by then-home secretary Theresa May in 2012. After this particular case, May introduced a forum bar – meaning that where prosecution is possible in both the UK and in another state, the British courts will bar prosecution abroad if it is in the interests of justice.

Love's civil suit against NCA was supposed to be heard on 28 July but has been postponed for now. The new date will be announced on 16 September, when extradition ruling will be issued.

Named persons scheme

The Supreme Court has ruled that the Scottish proposal for “named person” scheme undermines rights to privacy and family life (Article 8 under ECHR). The scheme provides children with access to a named person (health worker, teacher) who acts as a single point of contact. It was intended to help parents access services and to identify children in need of protection.

The ruling says that information-sharing provisions in the scheme can possibly lead to disproportionate interference with the Article 8 under the European Convention on Human Rights. The judges pointed out that the scheme lacks safeguards for protection of privacy and confidentiality.

The Scottish government plans to start work immediately on the amendments to the legislation to implement the scheme nationally as soon as possible.

“Domestic extremist” suing UK police

A 91-year-old campaigner, John Catt, is on a quest to have his police surveillance records of peaceful participation in protests deleted. He will have his case heard at the European Court of Human Rights.

Catt has been classified as a domestic extremist without any criminal record. He and his family were tracked by police officers and had their movements recorded in detail.

Similar case has been brought to the ECtHR by six members of the National Union of Journalists who also have been subjected to having intelligence on them retained by the Metropolitan Police.

The case could have some implications for the IPBill in regards to the protection of journalists, their sources and whistleblowers.

Amazon tests drones

Amazon announced they will be testing the viability of delivery of small parcels by drones in the UK with support from the British government. The test is for deliveries weighing five pounds or less.

The company will explore three areas in their drone testing:

  • operations beyond line of sight
  • obstacle avoidance
  • one person operating multiple autonomous drones

The trial is supported by the Civil Aviation Authority who want to make sure that drone delivery does not adversely affect other airspace users.

Currently, the UK legislation does not allow drones to be flown within 50 meters of a building or a person, or within 150 metres of a built-up area. They are required to remain in line of sight and within 500 metres of the pilot.

Despite the testing, commercial use of drones is not very likely to become commonplace any time soon.

Drones have been previously associated with possible violations of privacy. The Information Commissioner's Office issued guidelines on responsible use of drones to prevent these violations. Their use is subjected to the Data Protection Act but, for now, drones lack a specific legislation regulating their use.


Export controls for surveillance technology

A leaked draft proposal shows the European Commission will be discussing controversial measures on export technologies that could be used to violate human rights in September.

The measures will impose export controls for cyber-surveillance technologies under a revised EU law covering dual-use goods that can be used as weapons or for civil purposes. The affected technologies include location tracking devices, biometrics and surveillance equipment.

The proposal has been criticised by tech companies who worry the law will affect export of common products like smartphones because of their ability to track location. Erka Koivunen, F-Secure security advisor, said the problem might be
"that you don't necessarily know who the buyer is, nor who the buyer works for. It would be unreasonable for a provider of COTS software or a researcher writing a study paper to demand a list of customers or to seek prior permission before 'delivering' the goods to the end user."

The new legislation would require a special approval for companies to export potentially harmful goods if they can be used to abuse human rights. The current law, Wassenaar agreement, limits the special export licenses to products that can be used to create weapons of mass destruction or violate a trade embargo.

Privacy International said about the proposal
“The main thing that should be done is to have transparency measures so member states have to make publicly available the data from their licensing mechanism.”

The Commission's draft proposal follows the non-binding resolution passed by the European Parliament last year calling for export controls on surveillance technologies. The current proposal is bigger in its scope than any other national or EU-level legislations on export controls for surveillance technologies.

No behaviour tracking for Microsoft

French data protection authority, CNIL, said that Microsoft has been collecting excessive data and tracking browsing by users without their consent. Due to their actions, Microsoft now faces sanctions if they fail to comply with the CNIL's demands.

According to CNIL, the data collected by Microsoft was irrelevant or excessive. Microsoft tried to justify the data collection claiming they use the data to identify problems and improve its products.

Additionally, the authority found that Microsoft relies on the Safe Harbour scheme to transfer personal data to the US, even though it has been ruled invalid and companies have to comply with the new Privacy Shield agreement from 1 August.

The Article 29 Data Protection Working Party is now looking into practices of Microsoft in other member states. In the UK, the Information Commissioner's Office has made enquiries with Microsoft. Microsoft vowed to work with CNIL to resolve the issues and to release an updated privacy statement next month. They also intend to sign up to Privacy Shield.

Article 29 on Privacy Shield

The Article 29 Data Protection Working Party issued a statement revealing their plans to scrutinise the newly adopted EU-US Privacy Shield agreement. The new framework will be up for annual reviews.

The national data protection watchdogs agreed that Privacy Shield is an improvement on safe Harbour; however they still share concerns about commercial aspects of the framework and access by public authorities to data transferred to the US.

The first annual review will
“assess if the remaining issues have been solved but also if the safeguards provided under the EU-U.S. Privacy Shield are workable and effective. The results of the first joint review regarding access by U.S. public authorities to data transferred under the Privacy Shield may also impact transfer tools such as Binding Corporate Rules and Standard Contractual Clauses.”

Opinion of the EDPS on E-Privacy Directive

Giovanni Buttarelli, the European Data Protection Supervisor, published his official opinion on the review of the E-Privacy Directive earlier this week.

The Directive is being reviewed in order to bring it into line with the new General Data Protection Regulation (GDPR). The opinion commented on such issues as encryption and interception and surveillance of communications.

Buttarelli said
“The new rules should also clearly allow users to use end-to-end encryption (without 'backdoors') to protect their electronic communications.

“Decryption, reverse engineering or monitoring of communications protected by encryption should be prohibited.

“In addition, the use of end-to-end encryption should also be encouraged and when necessary, mandated, in accordance with the principle of data protection by design.”

In his opinion, Butarelli also stated that the ePrivacy Directive should continue to ban interception and surveillance of communications, including content and metadata. He further proposed a new requirement for organisations to disclose numbers of EU and non-EU law enforcement and government requests for information.

International developments

EFF suing the US government over the use of DMCA

The Electronic Frontier Foundation filed a lawsuit against unconstitutional use of the Digital Millennium Copyright Act. Their argument is that section 1201 – the anti-circumvention rule making it illegal to break an access control for copyrighted works, is unconstitutional. They also claim that the Library of Congress and the copyright office have failed to perform duties in the three-year DMCA 1201 exemption hearings.

The lawsuit was filed on behalf of Andrew Huang and Matthew Green, who both work on projects that would impact Digital Rights Management. Huang's project allows users to overlay images over HD videos. He wants to build on this project and develop features to record and manipulate digital video – to record them for later, turn them into clips that can be reused later in legal ways.

Green's project focuses on security research that could raise section 1201 threats. This would include investigating the security of industrial-grade encryption devices used to secure cryptographic keys for different purposes. DMCA only grants exemptions for security research on consumer equipment and certain medical devices. If Huang was to conduct his research he would find himself facing criminal jeopardy, even though the research would benefit the economy by detecting threats.

The argument the EFF is making is that wording of the statute requires the Library of Congress to grant exemptions for all conduct that is legal under copyright and fair use. However, the Supreme Court gave guidance on how copyright law is constitutional in two cases (Golan and Elder) from 2015 even though it places limits on free speech. For this reason the Library of Congress withheld permissions for many uses that the DMCA blocks, but which copyright allows.

If the permissions for uses in the case from 2015 had been granted, Huang and Green would not be facing legal problems now. The whole case could take years to be resolved.

ORG Contact Details

Staff page