This is ORG's Policy Update for the week beginning 06/02/2017.
If you are reading this online, you can also subscribe to the email version.
- 1 ORG’s work
- 2 Official meetings
- 3 Parliament
- 4 Other national developments
- 5 International developments
- 6 ORG media coverage
- 7 ORG Contact Details
- ORG launched a new campaign for (spoof) recruitment for millions of posts of Internet porn classifiers. Check out the job description and person specification. We even put together some interview tips for our applicants.
- ORG have launched a petition to prevent President Trump from using the data collected by the UK intelligence agencies to strip away basic liberties. Don’t let Trump get his hands on our data, sign our petition now!
Planned local group events:
- Join ORG Birmingham on 22 February to look at how police are covertly using devices to indiscriminately intercept and hack up to 500 phones every minute.
- ORG Aberdeen is organising a Cryptonoise meeting on 23 February. Learn how you protect your rights in a digital world. You do not need to be a tech wizard to attend.
- Explore the issues surrounding data protection, surveillance and internet identity at the Still immersive theatre piece on 1-2 March in Brighton.
- Jim Killock participated in a panel discussion on surveillance and the Investigatory Powers Act at the Lush Summit 2017.
The Committee stage of the Digital Economy Bill continued this week with two more sittings. Lords discussed issues related to data sharing and the BBC. The DEBill will start its Report stage on 22 February.
Labour and Lib Dem Lords submitted numerous amendments calling for improved privacy safeguards and legally binding codes of practice.
Lord Collins (Labour) tabled an amendment that would limit what public authorities have access to people’s data. The amendment also required additional approval for non-approved uses of people’s data.
The Government did not agree with the improved privacy safeguards. Lord Keen responded that the Bill will need to adhere to the Data Protection Act 1998 and also the General Data Protection Regulation when it comes into force in May 2018. For these reasons, the Government doesn’t think privacy safeguards are necessary on the face of the Bill.
Amendments proposed to make the codes of practice for Part 5 on Data Sharing a statutory piece of legislation were rejected by the government. Lord Keen dismissed the proposal for codes of practice to comply with procedures for the secure handling of information. In the current wording of the Bill, codes of practice merely have regard to procedures for the secure handling of information. The Government considers such wording a satisfactory level of obligation for a code of practice.
A recent piece of research highlighted another issue with data sharing. The data sharing provisions in the DEBill might be incompatible with the General Data Protection Regulation that the Government is planning to adopt fully. The GDPR promises to give people more control over their data, whereas DEBill does the exact opposite. The research shows how difficult it will be for officials to implement both legislations in the public sector.
One of the ORG’s latest blog posts gives more detail on the issues of appeals for ISP website blocking and privacy safeguards.
The Government doesn’t accept that the blocking powers could lead to widespread website censorship. Jim Killock explains in a blog how the power could be applied to tens of thousands of websites, or even millions. The extent to which the power is used to block websites is a matter of discretion, and therefore a matter of politics and financial constraints rather than objective criteria.
Online copyright infringement
The Committee had only a brief discussion of the copyright provisions in the Bill. We previously criticised the Government’s approach to defining online copyright infringement offence. The wording in the Bill is too vague and could catch casual file sharers instead of the commercial ones.
The Bill uses loss and a risk of loss caused to a copyright holder as a defining factor for the offence of copyright infringement. However it doesn't specify how big the loss would need to be. Without thresholds for loss and a risk of loss this offence can be applied to people who accidentally share a copyrighted picture and cause minimal loss to the copyright owner.
Labour proposed to amend this part and use the wording currently used in the Copyright, Designs and Patent Act 1988. Such an amendment would not respond appropriately to digital copyright infringement. It would bring back the concept of "prejudicial effect". Similar to loss and a risk of loss, "prejudicial effect" is also too broad to exclude accidental and small copyright infringers.
Jim Killock explains what needs to be done in this blog.
Government falls short on cyber security
The Public Accounts Committee (PAC) released a new report on Protecting Information Across Government. The report focuses on the role of the Cabinet Office in coordinating dissemination of information and protecting it from unauthorised access or loss.
The report found that the government’s efforts to strengthen cyber security are diminished by the Cabinet’s Office failure in recording personal data breaches. It was highlighted in the report that processes for departmental personal data breaches are inconsistent and dysfunctional. The situation is particularly bad regarding low level breaches.
The Committee members called on the Cabinet Office to create a detailed plan for improving cyber security by the end of the year. At the moment, the department’s role in protecting information in central government is not clearly defined. The Committee found that the public sector lacks coordination in information protection.
Recommendations by the Committee:
- The Cabinet Office should write to the PAC setting out its findings from a pilot security cluster
- Government should establish a clear approach for protecting information across the whole of the public sector.
- The Cabinet Office should ensure there is a robust challenge built into the Government Security Classifications and the Foxhound project for sharing classified information across government.
- The Cabinet Office should regularly assess the cost and performance of government information security initiatives.
- The Cabinet Office should work with the Information Commissioner’s Office on a set of reporting guidelines.
Scottish NHS in a cyber attack
It was reported that data of nearly 300 Scottish NHS staff was leaked in a cyber attack against one of their supplier in the US.
The supplier, Landauer, provides ionising radiation monitoring services across Scotland. They retain personal information of the NHS staff, including their names, radiation dose, dates of birth and national insurance numbers. Patients were not affected by the breach.
It was revealed that the company was aware of the breach in October but only informed the NHS recently. The report of the breach only proves the points raised in the recent Public Account Committee’s report claiming that public sector lacks coordination in information protection and breach reporting.
Question on electronic warfare
Ben Gummer MP responded that a recent success was a launch of the National Cyber Security Centre working to deliver the National Cyber Security Strategy. The Minister did not list any other steps being taken to protect the UK from cyber attacks.
Question on data protection
Lord Browne asked the Government what steps they are taking to help people protect their personal data online.
Lord Ashton responded that the Information Commissioner's Office provides guidance to individuals and organisations on the protection of personal data online. Ashton said that the soon to be implemented General Data Protection Regulation will provide additional safeguards for people’s personal information.
Other national developments
Consultation on espionage
The Law Commission published a consultation paper suggesting improvements to the law around the protection of official information. In other words, this consultation makes recommendations for a "future-proof" Espionage Act.
The new law would make leaking and whistleblowing crime as serious as spying for foreign powers. Jail sentences would apply even if the whistleblower is not a British national and acted in the public interest.
A memorandum of understanding revealed that the Home Office can require access to some patient’s name, date of birth and address. Such information may make it easier for the Home Office to identify illegal immigrants.
The data is supposed to be supplied by the NHS Digital. They don’t need to give up the data if they assess that the Home Office have not argued their case well enough. However, the partnership becomes more complex if the NHS Digital refuses to provide the data.
In case of a dispute, the Department of Health is supposed to act as an impartial arbiter. It is difficult to grasp how the Department of Health can be considered impartial since, like Home Office, it is a government department.
Initiatives like this one are likely to discourage people from seeking medical help by creating a barrier. In a long run, a risk to the general public is increased.
Body-worn cameras in UK schools
Two schools in the UK are conducting trials for teachers wearing cameras in class. The trial aims to help teachers limit disorder.
Teachers have an option to wear a camera when they feel it is necessary. Cameras are not on constantly. The trial will run for three months and footage from cameras is securely stored on a cloud platform.
The cameras are not surveillance cameras and are supposed to be used only during incidents. Despite these claims, filming pupils can be invasive. The information on how the footage is used is not available at the moment and neither are arrangements for secure storage. This type of intrusive technology can also negatively impact on the teacher-pupil relationship.
Google might have to hand over emails to FBI
A US judge ordered Google to hand over its users’ emails even though they are stored on servers outside the US. This judgment goes against the precedent set by a similar case involving Microsoft.
In the Microsoft case, the company didn’t need to hand over emails to FBI in a narcotics case because they were stored on a server in Ireland. The ruling in the Google case, however, said that getting emails from an overseas location does not qualify as seizure because the user’s possessory interest in the information is not interfered with.
Google is planning to appeal the judgment particularly because the judge departed from precedent. The previous judgment found that 1986 Stored Communications Act (used to issue warrants in both cases) was left behind by technology and is in need of a revision to improve privacy protection.
ORG media coverage
See ORG Press Coverage for full details.
- 2017-02-02-The Missouri Injury Blog-AI software algorithm can track your every move at work
- Author: Samuel Butler
- Summary: Javier Ruiz quoted on employees being given clarity on what information is collected and how it is used by AI software at a workplace.
- 2017-02-03-Order Order-Government to hire porn watching bureaucrats
- Summary: ORG quoted about the new campaign for jobs for Internet classifiers.
- 2017-02-06-New Statesman-Inside the government's mad plan to catalog every video on the Internet
- Author: Myles Jackman
- Summary: Myles Jackman comments on the Government’s plans to introduce age verification and ISP blocking for porn websites.
- 2017-02-08-Braodband Genie-UK porn blocking: Government age verification requirement “could set a dangerous precedent"
- Summary: Jim Killock interviewed on ISP blocks for porn websites.