ORG policy update/2017-w02

This is ORG's Policy Update for the week beginning 09/01/2017.

If you are reading this online, you can also subscribe to the email version.

ORG’s work

• ORG launched a petition to repeal Section 40 of the Crime and Courts Act. Section 40 forces publications who decide not to join state-approved regulator to pay the full legal costs of anyone who decides to sue them for news they have published. There are no exemptions for campaigning organisations like ORG which are not a charity. You can learn more about the petition here.
• We have been getting ready for the Committee stage of the DEBill planning and gathering more information.

Planned local group events:

• ORG Cambridge is organising a screening of the new 'Snowden’ film on 16 January, followed by a discussion with an esteemed panel. Join the group for an exploration into how mass surveillance violates our rights to privacy and free speech.
• ORG Birmingham's Local Organiser, Francis Clarke, will be speaking about digital rights at the next Brewcamp West Midland meeting on 25 January. Come along to learn about how technology is shaping the public sector.
• ORG Aberdeen is organising a Cryptonoise meeting on 26 January. Learn how you protect your rights in a digital world. You do not need to be a tech wizard to attend.

Official meetings

• Jim Killock attended a meeting with Yoti, one of the companies developing an age-verification system for the DEBill.
• Jim Killock attended a meeting with Liberty & Privacy International to discuss further steps regarding data retention and legal strategies.

Parliament

DEBill

The Digital Economy Bill is still awaiting the dates for the Committee stage in the House of Lords. The Committee sittings are likely to take place in the last week of January.

The newest proposed amendments can be found here.

Lords’ Committee report on the DEBill

The Delegated Powers and Regulatory Reform Committee of the House of Lords published a report on the DEBill. The Committee is appointed to

“report whether the provisions of any bill inappropriately delegate legislative power, or whether they subject the exercise of legislative power to an inappropriate degree of parliamentary scrutiny.”

The report addresses Parts 1-4 of the Bill but only makes recommendations for the Part 2 on Digital Infrastructure and Part 3 on Online Pornography. Longer summary of the Report can be found on ORG's wiki here.

Recommendations for Part 3 on Online Pornography:

• The identity of the age-verification regulator should be specified in the Bill.

The Committee criticised the level of flexibility given to the Secretary of State for designating the regulator. The report also stated that the Committee would not object to the Secretary of State having powers to designate a different regulator if necessary.

• A statutory right of appeal needs to be included in the Bill.

The Report found it unsatisfactory that appeals against enforcement actions available to the regulator (such as blocking) are not set up to be made to an independent body. The Bill lacks specified appeals arrangements completely.

• Definition of “commercial basis” should be put on the face of the Bill.

According to the Committee, the regulator should not have the powers to define key concepts of the Bill in the guidance issued by him without any Parliamentary scrutiny. For this reason, the Committee’s recommendation states that “making pornography available on a commercial basis” should be defined in the Bill.

• Guidelines on financial penalties should be approved by Parliament.

Due to the highly influential nature of financial penalties, the Committee recommends to specify how the regulator decides on the amount of penalties in the guidelines. The report also finds it necessary that the guidelines are approved by Parliament.

• Definition of who qualifies as ancillary and payment-service providers needs to be included in an Parliament approved guidance.

Letter by UN Special Rapporteur for free speech on age verification

The UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, David Kaye, raised serious concerns over the right to privacy and freedom of expression regarding age verification for online adult content in a letter to the British UN Ambassador.

The Special Rapporteur questions whether the DEBill is capable of achieving protection of children from harmful adult content and whether this legislation is legal under international human rights law (in particular with respects to Articles 17 and 19 of the International Covenant on Civil and Political Rights).

Kaye recognised that the British Board of Film Classification (BBFC) has been dealing with age classification in the offline world but he also stated that they are trying to employ the same system in the online world disregarding particularities of the digital environment.

The Special Rapporteur called on the Government to take necessary steps to conduct a comprehensive review of the DEBill.

Concerns raised by the Special Rapporteur:

• AV provisions give the government access to viewing habits and citizen data

The Rapporteur is concerned that data provided to one part of government can be shared with other parts of government and private companies without citizens’ consent. He emphasised that collection of such data increases the risk of hacking.

• loss of anonymity

In Kaye’s opinion, identity disclosure requirements in law facilitate state surveillance and make particular individuals more vulnerable to other forms of state surveillance.

• lack of privacy obligations

The Rapporteur is especially

“concerned at the imposition of the age-verification mechanism which has implications for the right to privacy without imposing conditions for the storage of such data.”

• lack of judicial oversight

Kaye stated that any determination of website shutdown must be undertaken by a body which is independent of any political, commercial or unwarranted influences.

• cumulative effect of the DEBill and IPAct creating tightening control over the Internet in the UK

Question on school census

Lord Scriven asked the Government, what information was given to those completing the national school census regarding the sharing of details with the Home Office for immigration purposes.

Lord Nash responded that the department for Education provide a privacy template available to schools to explain to parents what personal data they collect, why and how it is used.

Regarding the data sharing between the Home Office and the Department for Education, Nash said that the Memorandum of Understanding between the departments is available in the house library. He made it clear that this data sharing does not include data relating to pupils’ nationality. This data will remain available solely to the Department for Education. Even though parents cannot opt out of school census data collection, they can choose to withhold the information.

Question on pupils’ nationality

Steve McCabe MP asked the Secretary of State for Education, what data from the National Pupil Database (NPD) the Department shares with the Home Office for immigration purposes. McCabe further enquired about what information the Department shares with media and other parties.

Nick Gibb MP responded that the police or Home Office may request limited data from the National Pupil Database where they provide clear evidence of criminal activity or that a child might be at risk. This data sharing arrangement is set out in the Memorandum of Understanding.

The Secretary of State has powers to share extracts of data from the database with named bodies and third parties under strict conditions. These include: conducting research or analysis, providing statistics or providing information, guidance or advice.

NPD data is not routinely shared with media bodies.

Consultation on the digital world and cyber security

The Joint Committee on the National Security Strategy announced an inquiry into UK national security in a digital world. The consultation is responding to the potential exploitation of cyber domain by other states and actors for political purposes.

The Committee is seeking written submissions addressing these issues:

• The types and sources of cyber threats faced by the UK
• The effectiveness and coherence of the strategic lead provided by the National Security Council, Departments, agencies, and the National Cyber Security Centre
• Learning points drawn from the first Cyber Security Strategy and the fitness for purpose of the second Cyber Security Strategy
• Whether the UK has committed sufficient human, financial and technical resources to address the scale of cyber security challenge
• The development of offensive cyber capabilities and the norms governing their use
• Ways in which the UK Government can work with the private sector to build cyber resilience and cyber skills
• The balance of responsibilities between the Government and private sector in protecting critical national infrastructure;
• The appropriate role for Government in regulating and legislating in relation to cyber both nationally and internationally
• How the UK can co-operate with allies and partners on the development of capabilities, standard setting and intelligence sharing

More information on the inquiry can be found here.

Other national developments

UK ISPs to send piracy warnings

The biggest UK Internet service providers (ISPs) will begin to send the first round of piracy warning letters in January. Warnings will be issued to ISP subscribers suspected of online copyright infringement.

This initiative is voluntarily supported by BT, Virgin Media, Sky Broadband and TalkTalk. The ISPs will send educational notices to those using Peer-to-Peer file-sharing networks infringing copyrighted material provided on the networks.

The letters are intended to be strictly educational and should not contain any threats or demands for money as it occurred in several speculative invoicing cases before. ISPs and copyright owners are trying to discourage future infringement by providing legal alternatives for accessing copyrighted content.

The scheme is part of the Creative Content UK (CCUK) initiative. CCUK appears to be aware that notices based on IP address recognition are not perfectly reliable in targeting the actual infringer. They are working on other initiatives that would involve working with advertisers and payment processors to cut of revenue to illegal sites.

Europe

Draft E-Privacy Regulation

The European Commission officially published a draft proposal for a Regulation on Privacy and Electronic Communications (e-Privacy Regulation) this week after it was leaked to public in December 2016.

In a press release, the Commission stated that the new legislation is to

“ensure stronger privacy in electronic communications, while opening up new business opportunities.”

The e-Privacy Regulation (ePR) finalises the European data protection framework. The proposal aligns the rules for electronic communications with the EU’s General Data Protection Regulation (GDPR).

• Privacy rules for OTT services

The new privacy rules will apply to over-the-top (OTT) online messaging services such as WhatsApp, Facebook Messenger, Skype or Gmail. The privacy rules set previously by the e-Privacy Directive only required telecoms to adhere to the rules on confidentiality of communications and the protection of personal data.

The proposed rules will guarantee privacy for both content and metadata of electronic communications.

• Changes to cookie consent

The proposal also changes rules on consent for cookies. Consumers should be able to set the level of protection in their internet browsers. The cookie consent will not be necessary for all websites. No consent is necessary for non-privacy intrusive cookies.

• Clarification on ad-blockers

The Commission also clarified the grey area of preventing ad-blocker users from accessing content on publishers’ websites. The technology used to detect the use of ad-blocker is not in a legally straightforward position. Some privacy activists argued that by detecting ad-blockers, websites are accessing devices without consent. In general, websites have to ask permission to monitor the use of an ad blocking technology but consent is not required for detection of such technology.

The new rules make this situation clear by confirming that detection of ad-blocker by a website does not require consent to access a device. This means that publishers will continue to be able to block people from accessing their content if they are using an ad-blocker.

Javier Ruiz analysed the leaked draft here.

ORG Media coverage

See ORG Press Coverage for full details.

2016-01-05-Lexology-Policing the internet - an age old problem

Author: Joseph Byrne

Summary: ORG mentioned in connection with Alec Muffett who was quoted on the hacking dangers created by age-verification systems.

2016-01-07-Scotsman-SNP accused of ‘running scared’ of ‘super ID database’ plans

Author: Scott Macnab

Summary: Jim Killock quoted on the necessity for a debate on any plans that will lead to ID card system in Scotland.

2016-01-12-The Guardian-UN free speech advocate criticises UK plan to curb access to online porn

Author: Damien Gayle

Summary: Jim Killock quoted on the age verification going badly wrong if the DEBill passes as it currently is.

ORG Contact Details

Staff page

• Jim Killock, Executive Director
• Javier Ruiz, Policy
• Ed Johnson-Williams, Campaigns
• Pam Cowburn, Communications
• Lee Maguire, Tech
• Myles Jackman, Legal Director
• Charlie Tunmore, Supporter Officer
• Slavka Bielikova, Policy Officer