ORG policy update/2017-w09

This is ORG's Policy Update for the week beginning 27/02/2017.

If you are reading this online, you can also subscribe to the email version.

ORG’s work

• ORG launched an action this week calling on people to email Jo Johnson MP, the Minister for Universities, Science, Research and Innovation, to fix threats posed by offences for copyright infringement in the Digital Economy Bill. Let's stop copyright trolls threatening ordinary Internet users with 10 years in prison. Email the Government.

Planned local group events:

• Join ORG Cambridge on Tuesday 7 March for our monthly meetup to discuss the current state of digital rights, what we've done in the past month and what we are planning to do in the upcoming month.
• You seal your letters but send your mails unencrypted? You want to protect your privacy online but don't know how to do it? Join ORG Manchester on Friday 17 March to learn how to protect your communications and content over the Internet.
• Join ORG Birmingham on Tuesday 21 March to find out more about the Espionage Act and what you can do to stop the Law Commission criminalising journalists and public-interest whistleblowers.

Official meetings

• Jim Killock attended a meeting with representatives of Google to discuss various digital policy concerns.

Parliament

DEBill

The Digital Economy Bill went through the first day of its Report stage in the Lords last week. The next sittings are scheduled for 20 and 22 March.

The list of current amendments is available here. Lords are expected to debate provisions on age verification and online copyright infringement during these two days. The Government have not tabled any amendments yet relating to these sections of the DEBill.

In their response (released last week) to the report published by the Delegated Powers and Regulatory Reform Committee in January, the Government stated they will be introducing amendments for age verification.

Age verification

• There will be more than one regulator.

The Government recognised in their response that the British Board of Film Classification should not be the sole regulator for age verification purposes.

The BBFC will

“make decisions as to whether a website is compliant with the age verification requirement, will be able to notify payment service providers and ancillary service providers [...] and direct internet service providers [...].”

The BBFC will not regulate the issuing of financial penalties. An amendment will be introduced to adopt an affirmative procedure to designate age-verification regulators.

• Statutory right of appeal to website blocking is not necessary.

The Government found the current appeals process run by the BBFC efficient and even though this is a non-statutory procedure, they consider it effective. It is likely that the appeals process will remain non-statutory but provided by a different body independent from the original decision maker.

• No definition for age-verification technologies.

The Government does not consider it appropriate to define terms relating to age-verification technologies due to technology constantly changing. This means that there will be no specification for privacy safeguards on the face of the Bill. The Government will only table amendments that would require the Secretary of State to approve age-verification regulator’s guidance on technologies.

A new clause will give power to the Secretary of State to issue a guidance for age-verification regulators on how to issue their guidance. The Government intends to publish a draft guidance before the next sittings.

Data sharing

The Government's response also addressed data sharing provisions.

• Codes of practice will be statutory.

The Government agreed to comply with the Committee’s recommendation to subject codes of practice to parliamentary oversight. They accepted the recommendations because of important safeguards that are in the codes of practice and because public authorities would be acting unlawfully if they fail to have regard to them.

• There will be a list of “specified persons”.

A government amendment will specify who is a “specified person” for purpose of public service delivery, debt owed to the public sector and fraud against the public sector.

• Narrower drafting of objectives of data sharing for public service delivery.

The Government stated that they will draft the objectives as narrowly as possible but they want to introduce another condition for the power - to specify an objective.

The powers contained in the data sharing provisions are supposed to benefit individuals. The introduction of a power to specify an objective could risk making these objectives punitive if the nature of objectives is not specified.

The Government have not made changes to measures around onwards disclosure of data or around reviews to all powers under the data sharing provisions. Currently, the Bill intends to review only the powers relating to fraud and debt. Additional amendments should be made to bring standards in the DEBill on onwards disclosure of data to those set in the Data Protection Act 1998.

Question on digital custodians

Andrew Gwynne MP asked the Minister for the Cabinet Office, whether ‘data custodians’ referred to in the publication Government transformation strategy: better use of data are individual people or external organisations.

Ben Gummer MP responded that the term refers to named individuals, located within public organisations. The data custodian is responsible for the live, operational data contained within a register.

Question on cyber crime officers

Lyn Brown MP asked the Secretary of State for the Home Department, how many cyber specials there are in police forces in England and Wales and how many of those officers have been recruited since January 2015.

Brown also asked how many National Crime Agency Special Officers there are with specialisation in cyber crime and how many of those have been recruited since January 2015.

Brandon Lewis MP responded that there are at least 40 cyber specials in police forces in England and Wales and at least 21 have been recruited since January 2015. The NCA has 22 specials with expertise in cyber crime and 19 of those have been recruited since January 2015.

Question on cyber crime education

Stephen Timms MP asked the Secretary of State for Education, what steps the Department is taking to promote awareness of cyber security among school-aged children.

Nick Gibb MP responded that the new computing curriculum introduced in September 2014 included aspects of cyber security for children from an early age. The Department for Culture, Media and Sport announced investment of up to £20 million in a Cyber Schools Programme which will develop key skills to help protect businesses against online threats.

Question on medical records

Caroline Lucas MP asked the Secretary of State for Health, for what reasons the Department did not undertake an impact assessment or a consultation on the Memorandum of Understanding between the Home Office, NHS Digital and the Department.

Nicola Blackwood MP responded that the Department considered the potential impact of the arrangements for requests to locate illegal migrants who have lost touch with the Home Office.

The Department did not consult publicly on the Memorandum because it was developed as an internal governance assurance document.

Other national developments

First Investigatory Powers Commissioner

The Prime Minister approved the appointment of the first Investigatory Powers Commissioner (IPC). Lord Justcie Fulford will become the fist Commissioner for a 3-year term.

Fulford is currently the Judge in Charge of IT and leads for the judiciary on HM Courts & Tribunals Service reform.He will remain a Judge of the Court of Appeal during his term as an IPC.

The role of the IPC is to authorise and oversee the use of Investigatory Powers by public authorities.

IPAct legal challenge

Liberty issued another legal challenge against the Investigatory Powers Act. The legal challenge is targeting unprecedented bulk surveillance powers contained within the Act.

Liberty argues against these powers in the IPAct:

• bulk and 'thematic' hacking
• bulk interception of communications content
• bulk acquisition of communications data
• bulk personal datasets

Previously, the European Court of Justice ruled in a case on data retention brought forward by Tom Watson MP and David Davis MP (later only Watson ). The Court found data retention powers in the Act excessively intrusive and not permissible. The new legal challenge will take a different legal route. The Watson case has its scope limited to retention and deals with EU law. This route does not apply to bulk powers in the Act.

The Home Office appealed against the CJEU’s decision but the Court has not set a date for an appeal hearing yet.

Last week, the Home Office launched a public consultation on draft Codes of Practice for the IPAct. The consultation does not include the code for communications data. The code relates to obligations for communications service providers regarding retention and obtaining of people's communications data.

The Home Office spokesperson said they deferred consultation on the code until judgment from the CJEU is considered by the domestic courts.

The consultation will run until 6 April.

UK Digital Strategy

The Department of Culture, Media and Sport published the UK Digital Strategy. The strategy outlines how the Government plans to “a world-leading digital economy that works for everyone”.

The strategy tackles seven different areas:

• Connectivity - building world-class digital infrastructure for the UK
• Digital skills and inclusion - giving everyone access to the digital skills they need
• The digital sectors - making the UK the best place to start and grow a digital business
• The wider economy - helping every British business become a digital business
• A safe and secure cyberspace - making the UK the safest place in the world to live and work online
• Digital government - maintaining the UK government as a world leader in serving its citizens online
• Data - unlocking the power of data in the UK economy and improving public confidence in its use

The strategy's section on digital government reiterates the outline of the Transformation Strategy published by the Cabinet Office last month. This includes improving digital skills within the Civil Service. The strategy also repeats the intention to fully abide with the EU General Data Protection Regulation and to promote sharing of data within government as set out in the Digital Economy Bill currently going through Parliament.

Government initiative for internet safety

The Government announced a new initiative for Internet safety. The initiative pledges to make the UK “safest place in the world for young people to go online”.

The Secretary of State for Culture, Media and Sport Karen Bradley MP is supposed to produce a green paper in the summer. The Government also commissioned a report on how young people are using Internet and possible dangers they may face.

The report is supposed to answer questions around how to prepare children to be able to help themselves, helping parents understand dangers and communicate them to children, tech industry’s responsibility and how technology can be helpful to deliver Internet safety.

The Government will hold several roundtable meetings with social media companies, technology firms, young people, charities and mental health experts. The initiative partly mirrors the approach in the Digital Economy Bill (DEBill) to online pornography. The Bill aims to prevent children from accessing adult material online.

Provisions in the DEBill regarding online pornography already created issues for privacy and Internet censorship. The Internet safety initiative will be subject to similar issues, thus it is crucial the roundtable discussions address children’s privacy and freedom of speech as well.

NHS data loss

It was reported this week that the NHS lost more than 500,000 pieces of confidential medical correspondence. The patient data was not delivered between GPs and hospitals from 2011 to 2016. Instead, it was mistakenly stored in a warehouse.

NHS England already launched an investigation to estimate how many patients have been affected. Jeremy Hunt MP, the Health Secretary, said that there was no evidence that any patient's safety has been put in risk. However, the investigation has not concluded.

The Health Secretary confirmed that he learned about the incident four months ago and was advised not to publicly disclose the situation until risk assessments for patients’ safety were carried out.

Labour and Lib Dems criticised the late public disclosure of the data loss. They highlighted that the “staggering loss of personal and private data” could have been crucial to patients’ treatment.

Police stores innocent mug shots

A report released last week by the Home Office revealed that police store large numbers of custody images of innocent suspects. Generally, police should delete data relating to innocent people but suspects are expected to request the removal of photos and videos.

The report also stated that it would not be practical for police to remove relevant custody images from the database storing 19 million of them.

The UK High Court ruled in 2012 that the storing of images of innocent people was unlawful. The recent review of the procedures used for sharing of information across various boundaries and departments explained that a British national

“who is not convicted of of the offence in relation to which their custody image was taken may apply for it to be deleted.”

Police, however, do not have enough workforce to regularly remove images manually and unsuitable IT resources to do so automatically.

These impediments have a serious impact on people’s right to privacy. The system needs to be improved to facilitate automatic deletion of custody images of innocent subjects. This practice is already employed for fingerprints and DNA.

Europe

French-German lobby for backdoors

French and German ministers for the interior sent a letter (written in French) to the European Commission calling for backdoors to encryption.

Bruno Le Roux and Thomas de Maizière tried to convince the Commission that these measures are necessary to protect the EU from terrorism. Measures suggested by the two ministers call for the greater sharing of people’s personal information between member states’ police forces, more reliance on biometrics and cooperation from tech companies to make their encryption easily crackable by law enforcement agencies.

The European Commission showed support to the measures described in the letter. They said

"Encryption technology should not prevent law enforcement agencies or other competent authorities from intervening in the lawful exercise of their functions."

France and Germany would like to implement these changes in October.

It has been pointed out numerous times that building encryption backdoors solely for the use of law enforcement is impossible. Once a backdoor is set up, encryption is weakened in general and exposes whole systems to the risks of hacking from various actors.

ORG media coverage

See ORG Press Coverage for full details.

2017-02-27-Gov wants to make the UK the 'safest place in the world to go online'

Author: Alexander J Martin

Summary: Jim Killock quoted on ensuring children’s safety online should go hand in hand with protecting their rights to privacy and free speech.

ORG Contact Details

Staff page

• Jim Killock, Executive Director
• Javier Ruiz, Policy
• Ed Johnson-Williams, Campaigns
• Pam Cowburn, Communications
• Lee Maguire, Tech
• Myles Jackman, Legal Director
• Charlie Tunmore, Supporter Officer
• Slavka Bielikova, Policy Officer