ORG policy update/2017-w03
This is ORG's Policy Update for the week beginning 16/01/2017.
If you are reading this online, you can also subscribe to the email version.
ORG’s work
- ORG has been working on new campaign material (to be released soon).
- We have been busy preparing for the Digital Economy Bill Committee stage in the House of Lords.
Planned local group events:
- Join ORG Leeds on 25 January for the launch of the group! Learn some of the free tools that you can use to protect your privacy in the age of global mass surveillance.
- ORG Birmingham's Local Organiser, Francis Clarke, will be speaking about digital rights at the next Brewcamp West Midland meeting on 25 January. Come along to learn about how technology is shaping the public sector.
- ORG Aberdeen is organising a Cryptonoise meeting on 26 January. Learn how you protect your rights in a digital world. You do not need to be a tech wizard to attend.
Come to an ORG local group event near you
Official meetings
- Jim Killock and Javier Ruiz attended a meeting with Julia Powles regarding DeepMind.
- Javier Ruiz attended a roundtable at the Department of Culture, Media and Sport to discuss the General Data Protection Regulation.
- Jim Killock attended a Projects by IF event.
Parliament
DEBill
The Digital Economy Bill will be subjected to a scrutiny by the Committee in the House of Lords on 31 January. Sittings to follow will take place on 2, 6 and 8 February.
Committee on the Constitution Report
Following the course set by the report from the Delegated Powers and Regulatory Reform Committee published in December 2016 on Parts 1-4 of the DEBill, the Select Committee on the Constitution released their own report widely supporting the DPRR report’s findings and recommendations.
The new report does not go into as much detail as the report by the DPRR Committee. The Constitution Committee, however, builds on the criticism already made that will be no parliamentary scrutiny of the guidelines to be issued by the age-verification regulator.
The Committee questions
“whether the House can effectively scrutinise the Bill when its scrutiny is impeded by the absence from the face of the Bill of any detail about the operation of the proposed age-verification regime.”
They recommended that the House of Lords reconsider what degree of detail (or lack of detail) is appropriate on the face of the Bill.
The Committee reiterated concerns previously made by the Information Commissioner Elizabeth Denham during the oral evidence sessions to the Public Bill Committee in the House of Commons. Denham said that a balance needs to be found "between verifying the age of individuals and minimising the collection and retention of personal data."
More detailed summary of the report can be found here.
DPRR Committee Second Report
The Delegated Powers and Regulatory Reform Committee published another report on the DEBill, responding to the Parts 5-7.
The report makes recommendations regarding codes of practice for Part 5 on Digital Government and powers given to Ministers.
Javier Ruiz analysed the report in a blog here.
Question on the IPAct
Gavin Newlands asked for a statement on unlawful implementation of various provisions of the Investigatory Powers Act (including Internet connection records and bulk personal datasets) following the ruling by the European Court of Justice (CJEU) which found general and indiscriminate retention of communications by governments illegal.
David Lidington MP responded that the Government are considering their response to the judgment. Lidington stressed that security and intelligence agencies consider the ability to collect bulk data to be of vital importance in the battle against terrorism.
Question on cybersecurity centre
Kelvin Hopkins MP asked the Minister for the Cabinet Office, what contribution the Emerging Technology and Innovation Analysis Cell (ETIAC) made to the National Cyber Security Strategy 2016-21.
Ben Gummer MP responded that the ETIAC had not been established when evidence was gathered for the National Cyber Security Strategy 2016-21. However, officials from the Ministry of Defence and the Home Office currently staffing ETIAC contributed to the strategy’s conclusions on technology and innovation.
Question on international security and intelligence
Following the Prime Minister’s speech on Brexit, Lord Wallace seeked clarification on how the UK intends to continue to cooperate on international security, sharing of data and intelligence, and data protection with other European Union countries unless the European Court manages to maintain a degree of jurisdiction and supervision over that area.
Lord Bridges responded that sharing data will be a matter for negotiations. He stressed that the Government plans to continue to deliver the same level of of security and stability.
Response to the Surveillance Commissioner letter on NHS
Letters between the Surveillance Camera Commissioner and the Home Office regarding the Commissioner’s code of practice were published this week.
The letters show that the government decided to reject the Commissioner’s request to allow him to monitor the use of CCTV and body-worn cameras in hospitals. NHS Trust is currently not on the list of public bodies required to comply with a code of practice on the use of surveillance.
The Home Office Minister, Brandon Lewis MP, said the Commissioner’s request was denied because not all possibilities of voluntary compliance had been exhausted. However, the letter by the Commissioner, Tony Porter, reveals that NHS Protect refused to comply voluntarily with the code of practice in the past.
The Surveillance Camera Commissioner’s code of practice requires public bodies to demonstrate a pressing need for the use of surveillance cameras and warn the public of their use and how images will be stored and used. The government’s decision to not require compliance of NHS with the code raises serious concerns about patients’ privacy.
Other national developments
WhatsApp’s “backdoor”
The Guardian reported on Friday last week that WhatsApp’s end-to-end encryption has an alleged backdoor that allows snooping on encrypted messages. The report was based on research by Tobias Boelter, published in April 2016.
The original article alleged that this vulnerability is a “huge threat to freedom of speech”. The article implies that WhatsApp is able to read messages due to the way they have implemented its end-to-end encryption protocol.
Ed Johnson-Williams explains in a blog how the so-called “backdoor” works in practice.
According to his evaluation
“somebody collaborating with WhatsApp could theoretically read a small number of messages. This is very unlikely though and would be very easy to detect.”
“It would be incredibly difficult for WhatsApp to use the vulnerability to read messages this way at scale without gaining a terrible reputation for not delivering messages. … if you’re worried about law enforcement, they have other ways (such as hacking the phone) to target an individual WhatsApp user’s messages that would be cheaper, quicker, and more difficult for the target to detect.”
The Guardian article faced a backlash from cryptographers who said that the original article put very little effort into verifying the technical claims in the article and would discourage people from using end-to-end encryption. Moxie Marlinspike, the co-author of the Signal protocol used by WhatsApp, explained here how the Signal protocol implemented by WhatsApp works. He said
“The fact that WhatsApp handles key changes is not a "backdoor," it is how cryptography works.”
You can listen to Alec Muffett, a director on ORG’s Board, discuss the vulnerability and security-usability trade-offs here.
IoT principles
TechUK, an IT industry association, published a set of principles for companies to follow when developing products and technology in the realm of the Internet of Things (IoT).
The document highlights three main principles:
- data transparency and customer empowerment
This principle reminds companies that people have rights over their data. Data should be handled transparently and processed in accordance with the General Data Protection Regulation.
- interoperability
”Customers need to be able to exercise choice and the ability to switch between multiple providers of products and services.”
- protection against cyber attack
Tech industry should provide adequate protection against cyber attacks by developing security by design and complying with any regulatory requirements.
Europe
Article 29 on GDPR
The Article 29 Data Protection Working Party (WP 29) issued a press release revealing their action plan for the adoption of the General Data Protection Regulation.
The WP29’s Action Plan 2017 states that the WP will finalise its works in areas targeted in 2016. To do so, they will produce guidelines on Data Protection Impact Assessments, administrative fines and the setting up the European Data Protection Board.
The new WP29 priorities for 2017 will include:
- production of guidelines on consent and profiling
- production of guideline on transparency
- updating existing opinions on data transfers to third countries and data breach notifications
ORG media coverage
See ORG Press Coverage for full details.
- 2016-01-13-The Guardian-WhatsApp vulnerability allows snooping on encrypted messages
- Author: Manisha Ganguly
- Summary: Jim Killock quoted on companies who offer end-to-end encryption to disclose their vulnerabilities if they are found.
- 2016-01-16-IT Pro-Workplace monitoring: would you let your boss track your mood?
- Author: Nicole Kobie
- Summary: Pam Cowburn quoted on workplace tracking devices being part of a broader shift to a surveillance culture.
- 2016-01-17-New Scientist-Resisting Trump: How to survive the next surveillance state
- Author: Sally Adee
- Summary: Jim Killock quoted on bulk data collection making it possible to search and process that data to determine if there is interesting material.