ORG policy update/2017-w10

This is ORG's Policy Update for the week beginning 06/03/2017.

If you are reading this online, you can also subscribe to the email version or unsubscribe.

ORG’s work

ORG has been preparing a briefing for the House of Lords before another Report stage sitting to discuss the Digital Economy Bill.
We launched a campaign to email Jo Johnson MP, the Minister for Universities, Science, Research and Innovation, to fix threats posed by offences for copyright infringement in the Digital Economy Bill. Let's stop copyright trolls threatening ordinary Internet users with 10 years in prison. Email the Government.
ORG have been working on our submission for the consultation on the Espionage Act. The threat of 14 years in prison for handling classified and secret documents could stop journalists and whistleblowers from exposing corruption and government wrongdoing - especially in the secret services. Sign the petition!

Planned local group events:

You seal your letters but send your mails unencrypted? You want to protect your privacy online but don't know how to do it? Join ORG Manchester on Friday 17 March to learn how to protect your communications and content over the Internet.
Join ORG Birmingham on Tuesday 21 March to find out more about the Espionage Act and what you can do to stop the Law Commission criminalising journalists and public-interest whistleblowers.
Let's stop copyright trolls threatening ordinary Internet users with 10 years in prison. Email the Government.

Parliament

DEBill

The Digital Economy Bill is due to be debated by Lords in the second and third sittings of the Report stage on 20 and 22 March. These are likely to be the last Report stage sittings as the date for the Third Reading has been announced for 29 March.

Online copyright infringement

After we launched an action last week for people to email Jo Johnson MP, the Minister for Universities, Science, Research and Innovation, and to ask to introduce an amendment for offences of copyright infringement, the Intellectual Property Office issued a statement.

ORG has argued that the definition of the offence is too broad and is likely to catch small individual infringers. The Government has previously stated that they do not expect small scale infringers to be caught by the offence. The Government has not tabled any amendments to rectify the situation and make it clear who they aim to prosecute.

This could be easily done by entering thresholds of seriousness into the offence. It would also prevent copyright trolls from exploiting vulnerable people by threatening them with 10-year jail sentences.

The Government’s response stated that

“The risk of an increase of ‘trolling’ is considered to be low but the government will periodically review and respond to any concerns.[...] It would not be practical for the government to set a specific level of loss or gain at which infringement becomes a criminal offence.”

Jim Killock responded to the Government’s statement and outlined ORG’s position.

Age verification

The Government tabled new amendments for age verification following their promise to incorporate several recommendations from the Delegated Powers and Regulatory Reform Committee’s report.

The Government plans to introduce three additional Statutory Instruments (guidance).They will be: a) an outline of what material should be censored, b) guidance provided by the age-verification regulator, and c) guidance provided by the Secretary of State to the age-verification regulator on how to issue a guidance.

The amendments also introduce two new regulators that will join the British Board of Film Classification. The BBFC will regulate what content gets censored and will be responsible for notifying non-compliant websites. Handing out of financial penalties for non-compliance will be carried out by another unknown regulator.

The process of appeals will also get its own regulator that will be independent from the BBFC. The Government made it clear that they do not want UK courts to be part of the appeals process for blocking of pornographic websites.

The age-verification policy remains a badly thought-through policy even with these changes. The current drafting does not mention age-verification providers and it is not clear if they could be regulated by the legislation. This could lead to a monopoly of one age-verification tool with bad privacy standards.

Lib Dems tabled an amendment to prevent exactly this scenario.

Jim Killock explains in more detail what effect the Government amendments will actually have in a blog.

Data sharing

Several new amendments have been introduced by the Government to act on recommendations from the Delegated Powers and Regulatory Affairs Committee.

We welcome Government’s amendments:

limiting powers of Ministers by narrowing down objectives for data sharing,
creating a closer link with functions of public authorities,
limiting definitions of “specified persons” able to share data for public service delivery and fraud and debt purposes,
making codes of practice statutory,
removing powers to repeal and amend the Bill without prior scrutiny.

However, there are still some issues in Part 5 on data sharing that should be addressed. These include intrusive powers in Chapter 2 on civil registration data and review of all powers in Part 5.

Question on data protection

Louise Haigh asked the Secretary of State for Culture, Media and Sport, what information the Department holds on the number of commercial companies that retain individuals’ personal data.

Matthew Hancock MP responded that the Department does not hold this information. The Information Commissioner’s Office requires data controllers processing personal data to register with them unless they are exempt.

Question on fines and data protection

Patricia Gibson asked the Secretary of State for Culture, Media and Sport, on what date the Department plans to publish the consultation on legislative proposals on the accountability of named directors of firms responsible for breaches of the Privacy and Electronic Communications Regulations.

Matthew Hancock MP responded that they intend to issue a consultation during this session of Parliament on making company directors and those in similar positions accountable for breaches of the Privacy and Electronic Communications Regulations 2003. The proposed measure would give the Information Commissioner a power to impose Civil Monetary Penalties of up to £500,000 on those in positions of responsibility in all forms of corporate entity.

Question on images on the police national database

Lord Scriven asked the Government, whether the storage of 19 million facial images uploaded onto the police national database is compliant with data protection regulation.

Baroness Williams responded that the Government acknowledges that there are privacy issues and the custody images review has made recommendations for improvements of the retention regime.

Question on pupils’ records

Lord Scriven asked the Government, when and how former pupils who provided their personal data before 2010 for the purposes of their own education and who are now older than 19 will be informed of the new broader uses of their individual personal data by third parties since 2011. He further inquired whether they are able to withdraw these data.

Lord Nash responded that it is not possible for data subjects to withdraw their data and they will not be informed of the broader uses of their individual personal data by third parties.

Question on IPAct and electronic surveillance

Lord Paddick asked the Government, when they plan to implement the provisions regarding the creation and collection of internet connection records, what guidance and training they have issued to law enforcement agencies to enable them to make use of internet connection records and whether they will publish the latest cost assessment of set-up costs, and annual running costs, for internet connection records.

Baroness Williams responded that the Government are in the process of working with telecommunications operators to implement these provisions. The Government intends to publish codes of practice for public consultation that will then be subject to Parliamentary approval using the affirmative procedure.

The costs of implementing internet connection records were outlined in the impact assessment published during the passage of the Investigatory Powers Act.

Question on Brexit

Nick Clegg MP asked the Secretary of State for the Home Department, what contingency plans are in place for a situation in which no deal is reached with the EU on (a) extradition, (b) surveillance and (c) data exchange.

Brandon Lewis MP responded that the Government is committed to ongoing cooperation with the EU on security and law enforcement. He stated that it is too early to speculate at this stage what future arrangements may look like.

Question on investigatory powers

Lord Paddick asked the Government, when they will publish the membership of the Technical Advisory Panel as provided for by the Investigatory Powers Act 2016; and how many times the Panel has met.

Baroness Williams responded that after the Investigatory Powers Commissioner is appointed, he will establish the Panel.

Other national developments

Extended deadline on the Espionage Act consultation

The Law Commission extended the deadline for the public consultation on the new Espionage Act. The consultation will close on 3 May. This is due to large amount of interest.

The Law Commission previously published a consultation paper advising the Government how to update the current law about espionage (Official Secrets Act) and state secrets. According to the consultation, the new Espionage Act would increase penalties for espionage and broaden the definition of who could commit espionage.

The consultation was commissioned by the Government because they believe the current secrecy legislation is outdated in the digital age. Their particular concern is that electronic documents can be leaked in bulk, which poses new security risks.

Journalists handling secret materials from whistleblowers could be prosecuted under the Act whether or not they had engaged in ‘espionage’, and on the basis of the risk that an individual possessing the documents poses to the state, i.e. that they could be passed on, rather than have been, to a foreign power. Such broad definition would have highly detrimental effects on investigative journalism and public-interest whistleblowing where classified information is implicated.

The consultation document explicitly rejects a public interest defence for whistleblowers. Instead it proposes that concerns should be directed through an ombudsman.

ORG launched a petition asking the Law Commission to drop their proposals. Join over 18,000 people and sign the petition!

ICO inquiry into misuse of data in politics

It was reported the Information Commissioner’s Office launched an investigation into how voters’ personal data is captured and exploited in political campaigns.

The ICO decided to intervene following the last week’s revelations that a technology company had in a key role in the Leave campaign during the referendum on leaving the European Union.

The ICO spokesperson said

““We are conducting a wide assessment of the data-protection risks arising from the use of data analytics, including for political purposes, and will be contacting a range of organisations. We intend to publicise our findings later this year.”

Drop in advertising on pirate sites

City of London Police’s Intellectual Property Crime Unit (PIPCU) revealed that in the past 12 months there has been a 64% drop in advertising on illegal sites. Potential revenue of 200 copyright infringing websites is affected.

This action is part of the Operation Creative - an initiative to reduce copyright infringement using a variety of tactics. In this case, the initiative makes it harder for websites to generate revenue from advertising. Potential advertisers receive a list of infringing websites and are encouraged to boycott the domains.

The list is created by the police and copyright owners without being available to the public. This approach can potentially create issues of overblocking without providing efficient ways of appeals since the process is not overseen by a court.

Europe

EU Copyright reform

A leaked report from the rapporteur for the Committee on Legal Affairs Therese Comodini Cachia on the upcoming copyright reform calls for dropping the plans to give more rights to news websites and music industry. The Legal Affairs Committee is the lead committee for the Copyright Reform, Comodini's comments are likely to have significant weight on the future of the reform.

The rapporteur suggested that Article 11, seeking additional rights for news publishers by asking search engines to pay fees for displaying snippets of their articles, should be set aside and instead copyright should be enforced by giving authors and publishers the right to go to court.

Comodini Cachia suggested Article 13, arranging the liability of online intermediaries for user generated content into a shared responsibility of rights holders and service providers, is removed. Instead, the report suggests broadening of the scope of a copyright exception for modern research, including text and data mining. The exception is to be applied to all people, not only scientific research as suggested previously.

The report will be debated for the first time on 22 or 23 March. The rapporteur hopes to find an agreement before the end of the year.

The UK Intellectual Property Office ran an informal consultation asking for views on the Commission's proposals late last year. The results of the consultation have not been published yet.

International developments

Wikileaks - CIA exploiting vulnerabilities

Wikileaks published documents revealing the US Central Intelligence Agency (CIA) hacking tools. The documents, titled Vault 7, show that CIA uses zero-day vulnerabilities in most desktop and mobile operating systems.

The files describe CIA plans and descriptions of malware and other tools that could be used to hack into devices. The documents show exchanges of tools and information between the CIA, the National Security Agency and other US federal intelligence agencies, as well as intelligence services of Australia, Canada, New Zealand and the GCHQ in the UK.

However vulnerabilities can also be discovered and exploited by criminals and other countries’ intelligence agencies. This raises several questions about the GCHQ’s conduct.

Ed Johnson-Williams, ORG's campaigner, outlines these in a blog:

How does the Government ensure that GCHQ’s process for deciding whether to exploit or report a vulnerability is adequate? Are they creating unnecessary risks for organisations and individuals?
How do oversight bodies check that GCHQ’s policies for assessing the risk of keeping an active vulnerability secret are sufficiently robust?
Did any hacking operations reduce the security and privacy of an individual/organisation with respect to other actors?
Is the authorisation process sufficient to avoid future problems?
How will the UK government and agencies work to clean up the mess created by their decision not to report these vulnerabilities to the vendors?

Governments should be regulating the way their intelligence agencies hoard and use vulnerabilities that affect devices owned by millions of ordinary people.

The leak of documents sparked discussions about safety of encrypted messaging services such as WhatsApp and Signal. WhatsApp and Signal remain safe for nearly everyone. You can read more about the implications for the messaging apps in another blog by Ed Johnson-Williams.

ORG media coverage

See ORG Press Coverage for full details.

2017-03-03-IP Watch-Switzerland Next In Line To Gamble With Net Blocking: Author: Monika Ermert; Summary: ORG mentioned in connection with Blocked.org.
2017-03-03-The Real News-New UK Secrecy Laws Include Harsh Sentences For Journalists Working With Whistleblowers: Author: Kim Brown; Summary: Interview with Jim Killock on the Espionage Act.
2017-03-03-Nat Law Review-UK Search Engines And Rightsholders Join Forces To Combat Online Piracy: Summary: ORG mentioned in connection with criticism of the Digital Single Market Strategy.
2017-03-05-The Guardian-Why political rebels love WhatsApp: Author: Stuart Dredge; Summary: Jim Killock quoted on MPs failing to see how vital encryption is in everyday life.
216-03-06-The Inquirer-ORG's Digital Economy Bill prison term concerns ignored by government: Author: Dave Neal; Summary: ORG mentioned in connection with the IPO response to ORG’s campaign on online copyright infringement offences.
2017-03-06-Torrent Freak-UK Govt Refuses to Back Down Over Criminalization of File-Sharers: Author: Andy; Summary: ORG mentioned in connection with the IPO response to ORG’s campaign on online copyright infringement offences.
2017-03-06-IP Pro the Internet-ORG and UKIPO clash over 10-year sentences: Author:Barney Dixon; Summary: ORG mentioned in connection with the IPO response to ORG’s campaign on online copyright infringement offences.
2017-03-07-World IP Review-UKIPO responds to Open Rights Group criticism of copyright bill: Summary: ORG mentioned in connection with the IPO response to ORG’s campaign on online copyright infringement offences.
2017-03-08-Newsweek-Wikileaks dump: how to prevent yourself from being spied on: Author: Anthony Cuthbertson; Summary: Ed Johnson-Williams quoted on the importance of continuing to use encrypted messaging apps
2017-03-09-Computer Weekly-Open Rights Group calls for control of spies’ use of zero-days: Author: Warwick Ashford; Summary: Ed Johnson-Williams quoted on the GCHQ responsibilities for disclosing hacking tools to the CIA.
217-03-09-Digital Health-Google’s DeepMind building health data audit tool to counter transparency fears: Author: Laura Stevens; Summary: Jim Killock quoted on DeepMind making an interesting attempt to improve auditing of the way the data is stored, copied and used.
2017-03-10-Democratic Audit UK-The Law Commission’s dangerous proposals would turn whistleblowers and journalists into ‘spies’: Summary: Jim Killock quoted on the proposals for a new Espionage Act being an attack on freedom of the press.

ORG Contact Details

Staff page