This is ORG's Policy Update for the week beginning 03/04/2017.
If you are reading this online, you can also subscribe to the email version or unsubscribe.
Policy updates will take a short break and will be back the week beginning 17/04/2017.
- 1 ORG’s work
- 2 Official meetings
- 3 Parliament
- 4 Other national developments
- 5 Europe
- 6 International developments
- 7 Questions in UK Parliament
- 7.1 Question on copyright
- 7.2 Question on encryption
- 7.3 Question on data adequacy agreements
- 7.4 Question on relevance of IPAct
- 7.5 Question on electronic attack on UK's democratic processes
- 7.6 Question on sharing of sensitive personal information
- 7.7 Question on UK-EU data adequacy
- 7.8 Question on encryption
- 7.9 Question on government databases
- 7.10 Question on necessary hashtags
- 7.11 Question on Privacy Shield
- 7.12 Question on EU law and data protection
- 7.13 Question on review of cyber security standards
- 8 ORG media coverage
- 9 ORG Contact Details
- ORG received a response from the Minister of Security Ben Wallace MP to the letter we wrote alongside other civil liberties groups, lawyers and other parties to the Home Secretary Amber Rudd MP regarding the consultation on Codes of Practice for the Investigatory Powers Act.
- We are organising a meeting for ORG’s local organisers this week about ORG’s latest work and the future role of local groups.
- Over a thousand people used an ORG action to respond to the Home Office's consultation on the Investigatory Powers Act Codes of Practice.
Planned local group events:
- Join ORG London on April 11 for a discussion with ORG Legal Director Myles Jackman and feminist pornographer and sexual liberties campaigner Pandora Blake, about the Digital Economy Bill and what it could mean for you.
- Join ORG Leeds on Wednesday 12 April to find out from Jim Killock what the new law means for journalists and whistleblowers and what you can do to stop the Law Commission's proposals.
- Join ORG Birmingham for a practical session to learn about the threats you face and what you can do to protect yourself. With WikiLeaks' revelations of alleged CIA hacking tools it's more important than ever that we as citizens take steps to protect our privacy.
- Javier Ruiz attended a local ORG Brighton event to talk about the proposed changes to the Espionage Act.
- Jim Killock attended a meeting convened by the Public Concern at Work regarding the proposed Espionage Act and its impact on journalists and lawyers.
- Jim Killock is attending a roundtable about Brexit and human rights hosted by Liberty.
The Digital Economy Bill concluded its passage in the House of Lords on 5 April. Only a handful of amendments were discussed by the Lords. Most of these were of a technical and administrative nature, making no substantial changes to the Bill.
The newest version of the Bill can be accessed here.
The amended Bill will now be sent back to the House of Commons for approval of Lords’ amendments. The date for the next “ping pong” session has not been announced yet as the House of Commons is on recess until 18 April.
The DEBill is leaving the House with:
- insufficient privacy safeguards for age verification
Part 3 and the Codes of Practice for age verification do not clearly divide the responsibilities of several regulators and an administrator of the appeals processes. The Government decided not to legislate on users being able to choose the tool to verify their age. It will be up to websites to choose which age-verification tools they want to use.
With only the market, and not legislation, regulating the most widely used AV tools, new risks of tracking people’s sexual preferences will be created, and possibilities of data leaks will abound.
- poorly defined provisions on censorship
DEBill does not limit what can be blocked if age verification is not used on an adult website. Without any limits imposed on the levels of blocking , the Government can easily block entirely legal sites.
- no amendment for online copyright infringement
The Government decided not to include thresholds of seriousness for the definition of online copyright infringement offences. This makes any intentional infringement a criminal matter. Such definition is not proportionate and makes the offence unforeseeable.
- partial improvements to data sharing in government
The Government improved the data sharing part by making the Codes of Practice statutory and by narrowing down what public authorities can access data. However, the Bill still enables bulk sharing of civil registration data and does not provide for reviews for all the powers under Part 5.
Jim Killock analysed the current state of the DEBill in more detail in a blog.
Inquiry into civilian drones
The House of Commons Transport Committee launched an inquiry into civilian drones aiming to consider how the benefits of drone technology can be maximised within a safety framework.
The Committee is interested in submissions on:
- The safety and security risks posed by drones, particularly to manned aircraft
- The role of technology in enabling safe and sustainable growth in the civilian drones sector
- The likely effectiveness of key government proposals in its recent consultation, including pilot training and the proposed online registration scheme
- The current enforcement arrangements for misuse of drones in the UK
- Insurance issues and actions needed to create a viable market for drones insurance
- The economic growth potential of the drones industry in the UK and the Government's role in enabling that growth
The Committee is accepting submissions until 26 May.
Inquiry into the use of algorithms
The House of Commons Science and Technology Committee launched an inquiry into the use of algorithms in public and business decision making. This inquiry follows the Committee’s recent work on Robotics and AI, and its call for a standing Commission on Artificial Intelligence.
The Committee is seeking evidence on these areas:
- the extent of current and future use of algorithms in decision-making in Government and public bodies, businesses and others, and the corresponding risks and opportunities;
- whether 'good practice' in algorithmic decision-making can be identified and spread
- methods for providing regulatory oversight of algorithmic decision-making
Written evidence can be submitted by 21 April here.
Other national developments
Minister’s response to the IPAct consultation complaint
Ben Wallace MP responded to the letter civil liberty groups (including ORG), lawyers and other parties wrote to the Home Secretary Amber Rudd MP last week, regarding the consultation on codes of practice for the Investigatory Powers Act.
The original letter raised concerns about the lack of explanatory detail to understand the set of documents as well as the time restraints and the volume of CoPs making it near impossible to provide a meaningful response to the consultation.
ORG and other organisations called on the Home Office to:
1. Publish detailed information describing
- The functional purposes of the Codes, the safeguards and duties contained
- The justifications for the approaches within each code; and
- The changes made to the draft codes since they were presented to Parliament
2. Extend the deadline for the consultation to a full three months, starting at the point that the information above is published
3. Arrange briefings for lawyers, civil society and others to take them through the key points.In his letter, the Minister said that
“Despite a number of necessary updates, the majority of the contents of the Codes has not changed considerably since updated drafts were published in October 2016.”
Wallace noted that a wide range of organisations to whom the Codes apply have been specifically consulted on their content. He further referred to the Cabinet Office guidance on consultation process that states that a consultation process should not unduly delay the commencement and implementation of the important safeguards and powers contained within the Act.
The Home Office believes that the consultation period of six weeks is sufficient amount of time in addition to the scrutiny the codes have already received.
Fines for charities by the ICO
The Information Commissioner’s Office fined 11 charities that breached the Data Protection Act by misusing donors’ personal data.
These include the International Fund for Animal Welfare , Cancer Support UK, Cancer Research UK, The Guide Dogs for the Blind Association, Macmillan Cancer Support, The Royal British Legion, The National Society for the Prevention of Cruelty to Children, Great Ormond Street Hospital Children's Charity, WWF-UK, Battersea Dogs' and Cats' Home and Oxfam.
The offences committed by charities included secretly screening the personal wealth of donors to target them for additional funds, obtaining personal information from third parties and sharing their information with other charities, creating a large database of donor data for sale.The Information Commissioner Elizabeth Denham decided to significantly reduce the level of fines for charities citing the potential distress caused to donors by the charities’ action as a reason. Denham said
“No charity wants to alienate their donors. And we acknowledge the role charities play in the fabric of British society. But charities must follow the law.”
This investigation was part of a wider operation based on media reports on repeated and significant pressure on supporters to contribute. The investigation into charities is now concluded.
The Charity Commission for England and Wales is now investigating whether action needs to be taken against individual trustees.
The Members of the European Parliament voted in favour of a resolution declaring Privacy Shield inadequate this week. This resolution was already approved by the Parliament’s Civil Liberties Committee (LIBE) last week. LIBE stated in their statement that Privacy Shield has serious deficiencies that need to be fixed. The statement was echoed by the European Parliament this week.
The resolution was adopted by 306 votes to 240.
MEPs called on the EU Commission to conduct a proper assessment of the EU-US data sharing agreement. The Commission should ensure that Privacy Shield for data transferred for commercial purposes provides enough personal data protection for EU citizens and complies with the EU Charter of Fundamental Rights and new General Data Protection Regulation.
MEPs expressed their concerns regarding:
- recent revelations about surveillance activities conducted by a US electronic communications service provider at the request of the NSA and FBI in 2015
- new rules that from January 2017 allow the NSA to share vast amounts of private data, gathered without warrant, court orders or congressional authorisation, with 16 other agencies, including the FBI,
- the rejection of rules to protect the privacy of broadband customers by the Senate and the House of Representatives in March
- vacancies on the Privacy and Civil Liberties Oversight Board, which means that it lost its quorum on 7 January, making it more limited in its authority, while at the same time the Federal Trade Commission, which enforces the Privacy Shield, has three of its five seats vacant
- insufficient independence of the Ombudsperson mechanism set up by the US Department of State plus the fact that the incoming US administration has not appointed a new Ombudsperson
- the fact that neither the Privacy Shield Principles nor letters from the US administration demonstrate the existence of effective judicial redress rights for EU individuals whose data are transferred to the US
The first annual review of the Privacy Shield is due in September.The European Commission’s Justice Commissioner Vera Jourova confirmed the review timeline last week in her speech in Washington. She said
"If we want to further consolidate this new transatlantic bridge, we need the active engagement and contribution of all interested parties to the review."
Rightsholders appeal to G7 for stronger copyright enforcement
An association of media and entertainment businesses (including BBC Worldwide, Mediaset, Canal+, Bundesliga, UEFA, 20th Century Fox, Sony Pictures and the Walt Disney Company) made an appeal to the Culture Ministers from the Group of Seven (G7) to take action against Internet piracy.
The G7 meeting in Florence on 29 March focused on the protection of cultural heritage, combatting trafficking of artistic and historic items and using culture as an instrument for dialogue. The meeting is part of the preparations for a summit of leaders of G7 in May.The association of media and entertainment businesses asked the G7 Culture Ministers in a letter to
“provide their support to ensure the continued success of the entertainment sector across the G7 countries and beyond.”
Media and entertainment businesses claimed that Internet piracy “places in jeopardy the capacity for our businesses to continue to invest, to grow and contribute to our economies and society.” They called on the G7 to address this problem in a coordinated and strategic manner.
US rules on ISP privacy
The US President Donald Trump signed legislation repealing the online privacy rules limiting the ability of ISPs to share or sell customers’ information for advertising purposes.
The House of Representatives voted down the rules issued by the Federal Communications Commission (FCC) last week. Prior to the President’s sign-off the Senate and the House of Representatives passed a resolution that ensured the rules have no force or effect and the FCC cannot issue similar regulation in the future.
The FCC’s privacy rules for ISPs required broadband providers to get consumers' opt-in consent before selling or sharing Web browsing history, app usage history, and other private information with advertisers and other companies.
ISPs are now not obliged to seek customers’ approval to share their browsing histories (and other personal information) with advertisers. The FCC rules required expressed informed consent equal to an opt-in approval from the customer for the use of information such as: precise geo-location, health, financial, and children’s information; Social Security numbers; content; and web browsing and application usage histories and their functional equivalents.
This will give ISPs the opportunity to formulate the consent for customer data sharing in a way they like. Consents can be phrased in a deceiving manner where it will not be clear to the customers they are about to share their sensitive personal data just by signing a contract since the requirement for opt-in has been scrapped.Sir Tim Berners-Lee expressed particular concern for the privacy rules being scrapped. He said
“Obviously the worry is the attitude and the direction. The attitude is really appalling. That bill was a disgusting bill, because when we use the web, we are so vulnerable.”
Bruce Schneier explains what ISPs could do with customers' data here.
Questions in UK Parliament
Question on copyright
Kirsten Oswald MP asked the Secretary of State for Business, Energy and Industrial Strategy, what assessment the Department has made of the effect of proposed changes to EU copyright law on UK firms engaged in the digital economy.
Jo Johnson MP responded that the Government called for evidence from interested parties after they examined European Commission’s impact assessment. Johnson said that the Government hosted several meetings with different sectors of industry. The negotiations are still at an early stage.
Question on encryption
Ben Wallace MP responded that the Government finds it essential that the law enforcement services have the powers they need to keep people safe. Wallace said they are committed to taking robust action to tackle radicalisation online. The Government is closely working with social media and Internet companies to explore options to provide appropriate access to encrypted terrorist content to law enforcement agencies.
Question on data adequacy agreements
Louise Haigh MP asked the Secretary of State for Culture, Media and Sport,
- what assessment the Department has made of the potential effect of the UK’s data retention regime on securing a data adequacy agreement with the EU after Brexit;
- what assessment the Government has made of the implications of the Investigatory Powers Act for the UK securing a data adequacy agreement with the EU;
- whether the UK can apply for an adequacy decision while still being formally a member of the EU.
Matthew Hancock MP responded that the General Data Protection Regulation will apply to the EU member states from May 2018, this will include the UK. Hancock said that the Government will be considering all the available options during exit negotiations that will provide legal certainty for businesses and citizens.
Question on relevance of IPAct
Louise Haigh MP inquired whether it is possible to have a debate on whether the Investigatory Powers Act is still relevant and whether it is still GCHQ’s guidance to industry to encrypt communications, following statements made by the Home Secretary previous week.The Home Secretary Amber Rudd MP called for intelligence services t have access to encrypted messages. Haigh pointed out that Earl Howe previously said that
“The assertion that the Government are opposed to encryption or would legislate to undermine it is fanciful.”[Official Report, House of Lords, 19 October 2016]
David Lidlington MP responded that there is a real threat to cyber-security, and cybercrime has a massive cost on society and the Government support encryption. Lidlington said that there needs to be a balance to ensure that encryption does not provide a safe space for terrorists, paedophiles or organised criminals. They want to require companies to have the ability to decrypt those messages when they have been served with a properly authorised warrant.
Question on electronic attack on UK's democratic processes
Caroline Lucas MP asked the Minister for the Cabinet Office, what assessment the Government made of the current threat to democracy in the UK from cyber attacks, propaganda and subversion by hostile states.
Chris Skidmore MP responded that the UK’s paper balloting and hand counting means that they cannot be manipulated electronically. Skidmore said that the Government has in place a number of measures to protect the integrity of the electoral process from malign activity, including from cyberattack.
Question on sharing of sensitive personal information
Lord Paddick asked the Government whether they plan to continue sharing of sensitive personal information with other European Union member states for the purposes of crime prevention and detection after Brexit.
Baroness Williams of Trafford responded that the Government are clear that their commitment to co-operation with European allies on security and law enforcement will be undiminished as a result of Brexit.She said that it is too early to say what the future arrangements might look like.
Question on UK-EU data adequacy
Louise Haigh asked the Secretary of State for Culture, Media and Sport,
- whether the Government conducted contingency planning in case the UK does not secure a data adequacy decision with the EU prior to exiting the EU;
- what discussions the Department has had with the EU on securing a data adequacy agreement.
Matthew Hancock MP responded that since negotiations to leave the EU have not begun, it would be inappropriate to speculate. Hancock said that the Government objective is to ensure continued data flows between the EU and countries outside the EEA once the UK leaves the EU.
Question on encryption
Louise Haigh MP asked the Secretary of State for the Home Department,
- whether they have held discussions with the Counter Terrorism Command on encryption;
- what consultation the Department has conducted with financial services firms, legal services firms, the technology sector and identity verification providers on her policy to abolish end-to-end encryption;
- what assessment has been conducted of the consequences for the UK economy and national security of banning end-to-end encryption.
Ben Wallace MP responded that the Government is keen to ensure that the correct balance is struck between protecting information online and the need for our police and intelligence agencies to read, subject to appropriate authorisation, encrypted messages of those who plan and commit terrorist attacks and serious crimes when it is both necessary and proportionate to do so.
Question on government databases
Chris Skidmore MP responded that Open data is already delivering enormous value across the economy and society.Skidmore said that the UK is committed to being the world’s most open and transparent government and the UK’s third Open Government National Action plan sets out an ambitious agenda to achieve this.
Louise Haigh MP asked the Secretary of State for the Home Department,
- what recent meetings and discussions she has had with people who understand the necessary hashtags, and
- what recent discussions she has had with Facebook on its co-operation in counter-terrorism activity.
Sarah Newton MP responded that the Department is working closely with social media and Internet companies to ensure that harmful content is removed from their platforms. Newton said that the Department meets with them regularly at both Ministerial and official level.
Question on Privacy Shield
Louise Haigh MP asked the Secretary of State for Culture, Media and Sport, whether the Government has reached a decision on whether to support the European Commission in the case of La quadrature du Net and Others v Commission T-738/16.
Matthew Hancock MP responded that the UK has formally intervened in the legal challenge to the EU-US Privacy Shield Agreement lodged at the General Court of the Court of Justice of the European Union in the case of La Quadrature du Net and others v Commission (Case T-738/16). Hancock said that the UK Government will support the Commission in favour of the EU-US Privacy Shield decision.
Question on EU law and data protection
Louise Haigh MP asked the Secretary of State for Culture, Media and Sport, what assessment the Government has made of the implications of the decision of the European Court of Human Rights in the case of S. and Marper vs United Kingdom on the UK's ability to secure a data adequacy agreement with the EU.
Matthew Hancock MP responded that the Government aims to ensure unhindered data flows between the Eu and the UK after Brexit. They will be considering all the available options that will provide legal certainty for businesses and citizens alike.
Question on review of cyber security standards
Matthew Hancock MP responded that the Government keeps the material relating to cyber security standards - such as the Cyber Essentials scheme - under regular review and updates it on an ad hoc basis.
ORG media coverage
See ORG Press Coverage for full details.
- 2017-03-30-Middle East Eye-'Secret deals' with tech companies unacceptable, UK government told
- Author: Simon Hooper
- Summary: ORG mentioned in relation to a letter sent to the Home Secretary and tech companies about their meeting on censoring extremism.
- 2017-04-01-Financial Times-Want to stop online snoopers? Here’s how to use a VPN
- Author: Tim Bradshaw
- Summary: ORG quoted on how to choose a VPN.
- 2017-04-03-VPN Compare-UK Government backs down in Encryption argument
- Author: David Spencer
- Summary: Alec Muffet quoted on the inability of the Government to coerce the open-source community to comply with encryption removal.
- 2017-04-03-Apps for PC Daily-United Kingdon Government: Terrorists should not be able to communicate secretely via WhatsApp
- Author: Carlton Cooper
Summary: Jim Killock quoted on removing encryption on WhatsApp would make millions of people online less secure.
- 2017-04-04-Info Security-Most Brits Would Feel ‘Safer’ Without Encryption
- Author: Phil Muncaster
- Summary: ORG mentioned in relation to the Government already having powers to impose technical capability notices on tech companies.
- 2017-04-04-SC Magazine-Cable survey: UK public would choose greater security over privacy
- Author: Max Metzger
- Summary: Ed Johnson-Williams quoted on feeling of safety due to reduced communication security is a privileged position.
- 2017-04-06-The Sun-How to stop Facebook from tracking your every move and working out your whereabouts
- Author: Alahna Kindred
- Summary: Ed Johnson-Williams quoted on Facebook tracking users’ location to help advertisers locate specific target groups.