ORG policy update/2017-w26

This is ORG's Policy Update for the week beginning 26/06/2017.

If you are reading this online, you can also subscribe to the email version or unsubscribe.

ORG’s work

Our newly appointed Scotland Director Matthew Rice has been setting up meetings with local groups across Scotland.

Official meetings

Jim Killock attended a meeting on 27 June with Google policy staff to discuss future legislation.
Jim Killock attended an EDRi Network meeting and discussed the future makeup and rules for the EDRi board.
Javier Ruiz participated in a workshop organised by Involve, Carnegie Trust and Understanding Patient Data on Better use of Data: Balancing Privacy and Public Benefit.
Javier Ruiz participated at a Symposium on Managing Risk in the Digital Society in Barcelona speaking about ethics and compliance in data protection, as part of our EU-funded work in the VIRT-EU project.
Jim Killock met with policy staff from Oath on 30 June to discuss future legislation.

Parliament

Queen’s Speech

Following the General Election 2017 results and Theresa May’s attempt to form a government, the Queen delivered her speech to both Houses of Parliament on 21 June.

The Conservative Government appears to have dropped several pre-election manifesto commitments, including the introduction of compulsory sex and relationship education in schools. In her speech, the Queen referred to the Government’s plans in three areas that will have an impact on digital rights: Digital Charter, Data Protection Bill and Counter-terrorism Review and Commission for Countering Extremism. The latest blog by Jim Killock offers a brief analysis.

Digital Charter

The Queen said that

”proposals for a new digital charter will be brought forward to ensure that the United Kingdom is the safest place to be online.”

This directly follows promises made in the Conservative manifesto.

”A Conservative government will develop a digital charter, working with industry and charities to establish a new framework that balances freedom with protection for users, and offers opportunities alongside obligations for businesses and platforms. This charter has two fundamental aims: that we will make Britain the best place to start and run a digital business; and that we will make Britain the safest place in the world to be online.”

The speech made it clear that this is a charter, not a bill, which suggests that this might be a voluntary framework. However, to ensure that free speech is not just placed in the hands of private companies, the Charter should be backed up by a regulatory framework including independent or judicial oversight of material. Relying solely on enforcement by private companies brings issues of accountability. It is unclear who would be responsible for the rules on making the Internet safe and what, if any, ways of appeal would be available.

This Government continues in their efforts to “regulate the online world in the same way the offline world is regulated” — a claim which does not however recognise that most of the changes they want would be dealt with by police and courts rather than private companies in the offline world. They aim to tackle harmful behaviours and harmful content online (extremist, abusive or harmful to children), and they plan to compel technology companies to do more to protect their users and improve safety online. Such an approach could make online rights weaker than offline rights, and subject to commercial rather than public concerns, in contrast to their demand to end to treat both online and offline in the same way.

The Government recognises that these challenges can be international in their nature and they intend to work with other “like-minded democracies to develop a shared approach”.

Theresa May meeting with the French Prime Minister last week to discuss a joint campaign to tackle online radicalisation would suggest that this strategy is already under way. Their plans involve creating a new legal liability for tech companies if they fail to remove content. Just this week, Germany already passed a law that would allow them to fine social media companies with more than 2 million users if they fail to remove hate speech or other criminal material within 24 hours. The fines can go up to 50 million EUR.

The Queen’s Speech and Background Notes accompanying it did not provide enough detail to assess potential harms of this policy. However, enforcement powers in the hands of private companies are highly problematic.

Counter-terrorism Review

”The government’s counter-terrorism strategy will be reviewed to ensure that the police and security services have all the powers they need and that the length of custodial sentences for terrorism-related offences are sufficient to keep the population safe.”

The notes on the speech detail that the review will cover:

counter-terrorism powers and other powers the Government can use to fight terrorism;
sentences for those convicted of terror offences;
working with online companies to reduce and restrict the availability of extremist material online.

The Conservative Party included similar but more extensive demands on online companies in their manifesto. Both Google and Facebook have already issued statements explaining how they intend to tackle online extremism.

Commission for Countering Extremism

“A commission for countering extremism will be established to support the Government in stamping out extremist ideology in all its forms, both across society and on the internet, so it is denied a safe space to spread.”

The Commission will:

Identify examples of extremism and expose them;
Help the Government to identify new policies to tackle extremism;
Support the public sector and civil society in promoting and defending pluralistic values across all our communities.

The Commission’s work is likely to include online extremism. This policy appears to be an approach to create new ideas to counter extremism. In order to be successful, the Commission will have to act impartially and ensure that fundamental rights are respected in all of their future policy suggestions.

The Government did not make it clear whether the Commission for Countering Extremism is a short-term "policy commission" or a long term body with permanent duties

Data protection

”A new law will ensure that the United Kingdom retains its world-class regime protecting personal data.”

The Data Protection Bill will replace the Data Protection Act 1998. The DPA is being removed by the EU General Data Protection Regulation that is coming into force in May 2018.

At the moment, it is not clear if the text of the GDPR will be brought into this Bill, or whether it supplements it.

The main benefits and elements specified in the QS background notes suggest that the Bill will implement some of the derogations in the GDPR and will include new rules for law enforcement agencies. The latter rules come from the EU Directive on the protection of natural persons with regard to the processing of personal data by authorities.

Privacy groups, including ORG, are asking the government to implement the optional right in the GDPR for organisations to bring collective complaints on data protection without the need for affected individuals to instruct them.

Other national developments

Tech companies establish the Global Internet Forum to Counter Terrorism

Facebook, Twitter, Microsoft and YouTube announced the formation of the Global Internet Forum to Counter Terrorism this week.

The aim to formalise and structure areas of collaboration between the four companies, smaller tech companies, civil society groups and academics and supra-national bodies (the European Union and United Nations).

The companies are going to cooperate on developing new technological solutions to detect online content that needs to be removed, research and knowledge sharing.

Jim Killock discussed in a blog if tech companies can do more to eradicate safe spaces online. You can read his take on the problems they face here.

Bulk data sharing by spy agencies was never reviewed by commissioners

Privacy International brought a case against bulk collection of data carried out by the GCHQ and MI5 in October 2016. The Investigatory Powers Tribunal ruled that several of these activities have been unlawful.

A follow-up hearing earlier this June revealed that there has never been a formal audit of information sharing. The lack of oversight became apparent from the letter authored by the Interception of Communications Commissioner’s Office and the Intelligence Services Commissioner. Their letter is a response to a request from Privacy International who asked for more information on the auditing of bulk communications and personal data.

The letter states that

"Neither commissioner with responsibility for the intelligence agencies, nor their inspectors, has ever conducted a formal inspection or audit of industry in this regard."

The Investigatory Powers Tribunal was also to consider the proportionality of the level of communication interference and the impact of EU law on mass data collection. The case has not concluded and will likely see more hearings.

Scotland

Scottish Parliament

Debate on cybersex trafficking

The Scottish Parliament debated the issue of live online streaming of sexual abuse of children. During the debate, MSPs commended the efforts of the International Justice Mission in highlighting child slavery and exploitation overseas and the Internet Watch Foundation for their work on taking down websites.

Finlay Carson (Conservative) suggested during the debate that the Scottish Parliament should consider more carefully “how privacy and encryption methods are now used and can make it more difficult for the perpetrators to be caught”.

Carson said that

”When Governments suggest that there should be more access to people’s internet logs, there is often an outcry about breaching human rights. Perhaps, in demanding human rights, we are abusing the rights of children who get abused.”

Responding to his comments, Stewart Stevenson (SNP) said that

”the […] unfortunate truth, however, is that that would simply not work. If someone encrypts what is going through, we do not know what is in the encrypted package. Yet encryption is an important part of protecting certain kinds of data on the internet, so we cannot ban it on the internet. That is simply not possible.”

Instead, Stevenson suggested using the “follow the money” approach and cut these websites from their cash flow and make it impossible for them to carry out their activities.

Europe

European Commission’s new legislation would allow police access tech firms data

The European Commission plans to propose new legislation that would allow EU police and law enforcement agencies to obtain electronic evidence from US companies.

The plans are the Commission’s response to the recent terrorist attacks across EU countries. The EU Justice Commissioner Vera Jourova introduced three options:

police/law enforcement agency in one EU state could directly ask a firm in another member state for data without consulting the state first
tech firms would be forced to share data with any force in any of the Member States
police and law enforcement would gain direct access to servers (e.g.cloud servers) and they would be able to retrieve and copy data themselves

The states are supposed to discuss what types of data would fall within the scope of the new legislation at a later stage, These could include location, traffic data or personal communications.

The suggested plans have not involved a judicial process for obtaining the data. Judicial process for data acquisition is crucial to ensure the law enforcement requests are necessary and proportionate.

The official documentation has not been published yet. The Commission is expected to present policy options at the end of 2017 or early 2018.

LIBE's draft report on e-Privacy Regulation asks to prohibit removal of encryption

Marju Lauristin, rapporteur for the European Parliament Committee Civil Liberties, Justice and Home Affairs (LIBE) presented a draft report on E-Privacy Regulation to the European Parliament on 21 June.

The e-Privacy Regulation will regulate electronic communications services, including instant messaging services, web based email and IoT devices. The legislation is to supplement the General Data Protection Regulation providing a similar type of protection to individuals.

In her report, Lauristin introduced several amendments that would have positive impacts on privacy protections for individuals.

1.The report offers strong support for end-to-end encryption and do-not-track technology.

It clearly states that

”when encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited.”

2. The draft report widened the scope of the application of the legislation to machine-to-machine communications.

3. Lauristin amended the regulation to further limit the legal grounds to process communications’ content and metadata. The original proposals merely required the consent of one of the participants, the amendment requires both parties in the electronic communication to consent to allow data processing.

4. The report does not allow using consent to tracking users to be a prerequisite to using a service. A user should still be able to use a service, even though they decline to track their communications.

5. The amendments make clear that tracking users’ location or collecting information emitted through their wifi needs a prior consent.

6. The draft extends the maximum fines threshold to up to 20 million EUR or four percent of the company’s global turnover for violations of tracking rules for information stored on user’s device and information emitted by a device.

7. The report allows non-for-profit organisations to make complaints on behalf of users.

The draft report will be subject to a vote in the European Parliament (most likely) in Autumn 2017. If adopted, the different versions of the report will then be discussed between the Parliament, Council and Commission.

The draft report clashes with the proposals of the European Commission articulated earlier by Vera Jourova who revealed three possible ways of how the law enforcement could compel tech companies to afford them access to users’ communications and potentially prohibit encryption.

International development

UN Privacy Rapporteur calls for tackling of Internet regulation and censorship

The UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, David Kaye, demanded in his latest report that governments and companies tackle major threats of deliberate shutdowns of Internet access, censorship and data collection.

The report found that telecommunication companies and Internet service providers are increasingly becoming the essential players in monitoring expression online and enforcement of its suppression.

The report made recommendations for state and companies. The recommendations for states include:

independent assessments of interferences with privacy - the rapporteur suggests that at a minimum, states should ensure that surveillance is authorised by an independent judicial body and its scope is proportional and necessary;
review of all states activities into obtaining network access - the report recommends states review these activities in order to assess if they are lawful, necessary and proportionate;
state prohibition of prioritising certain types of Internet content for payment or commercial benefits - states should not be promoting the economic gain of private companies over users’ rights and freedom of expression.

The Rapporteur recommended that private companies strengthen their role in advancing users’ rights freedom of expression. The report further suggests that when states request corporate involvement in censorship or surveillance, they should attempt to prevent the adverse human rights impacts of their involvement as far as it is allowed by law.

The report was made to the UN Human Rights Council in Geneva. The human rights chief Zeid Ra’ad al-Hussein criticised Theresa May this week for her response to the recent terror attacks in Manchester and London.

UK Parliament Questions

Question on content creators

Tom Watson MP asked the Secretary of State for Business, Energy and Industrial Strategy, if he will ensure content creators are paid for the content they make available online.

Jo Johnson MP responded that the Government is currently working on these issues as part of the EU Digital Single Market strategy. Johnson said that the Government will continue to ensure there is a system for protection of intellectual property once the UK has left the EU.

Question on online sources of extremist propaganda

Lord Naseby asked the Government what measures they are taking to combat terrorist and extremist propaganda on social media and other online sources.

Baroness Williams of Trafford responded that they continue their cooperation with tech companies. She further said that they support the use of strong encryption but they want to ensure that the law enforcement and security and intelligence agencies are able to access the communications of criminals.

Question on online content removal

Nigel Huddleston MP asked the Prime Minister during her statement on the European Council, whether the Government would be willing to enact legislation if internet companies do not make sufficient progress with the removal of inappropriate content.

Theresa May MP responded that the Government is certainly willing to consider legislation. She stressed that she believes that the international pressure and cooperation will pressure the tech companies to do it themselves.

Question on the NHS hack

Jon Ashworth MP asked the Secretary of State for Health:

how sensitive data is protected in the NHS,
what steps the Department has taken to improve cyber-security in the NHS following the cyber attack on 12 May 2017,
what was the total cost of emergency measures put in place to address the attack,
how many similar incidents there have been since 2010, and
how many incidents there have been where patients’ data has been accessed or compromised and patient care has been interrupted.

Jackie Doyle-Price MP responded that the Department changed the NHS contract to include cyber security measures from April 2017. She noted that the use of unsupported systems is being reduced.

Doyle-Price said that the Chief Information Officer for health and care is undertaking a review into the attack and is expected to conclude in autumn 2017.

The cost of emergency measures to respond to the attack amount to £180,000. The Department refused to comment more widely on security matters.

Question on technical capability notices and encryption

Lyn Brown MP asked the Home Secretary, if she intends to activate the Section 253 of the Investigatory Powers Act 2016 regarding messaging services providing end-to-end encryption.

Ben Wallace MP responded that the Government will commence the Technical Capability Notice provision in due course. The will bring forward regulations setting out obligations which can be imposed on on telecommunications and postal operators. The secondary regulation will be subject to debate and a vote in both Houses of Parliament before they come into effect.

The Government refused to comment on which companies are going to be subject to these obligations.

Question on counter-terrorism review

Dan Jarvis MP asked the Home Secretary, what the timescale will be for the review of the Government’s counter-terrorism strategy.

Ben Wallace MP did not include any reference to the timescale in his response. Instead, he specified that MI5 and the police are conducting an internal review into the recent attacks in Manchester and London. David Anderson QC will provide assurance of the MI5 and police review.

ORG media coverage

See ORG Press Coverage for full details.

2017-06-04-City AM-London Bridge attacks: Facebook, Google and Twitter respond after Prime Minister Theresa May accuses them of providing "safe space" for terrorists: Author: Lynsey Barber; Summary: Jim Killock quoted on the Internet regulation pushing terrorists underground.
2017-06-04-East Lothian Courier-Theresa May criticised over ‘intellectually lazy’ internet regulation proposal: Summary: Jim Killock quoted on the Internet regulation pushing terrorists underground.
2017-06-05-The Independent-London Attack: Theresa May’s plan for Internet regulation could make life easier for terrorists, campaign group warns: Author: Andrew Griffin; Summary: Jim Killock quoted on the Internet regulation pushing terrorists underground.
2017-06-05-Business Insider-Privacy campaigners are outraged with Theresa May's 'draconian' internet regulation plans: Author: Sam Shead; Summary: Jim Killock quoted on the Internet regulation pushing terrorists underground.
2017-06-05-BBC News-London attack: Politicians v the internet: Summary: Jim Killock quoted on the Internet regulation pushing terrorists underground.
2017-06-05-BBC News-London attack: Tech firms fight back in extremism row: Summary: Jim Killock quoted on the Internet regulation pushing terrorists underground.
2017-06-05-Russia Today-Theresa May’s internet clampdown could backfire, warns civil rights group: Summary: Jim Killock quoted on the Internet regulation pushing terrorists underground.
2017-06-05-Insider-Google, Facebook and Twitter defend attempts to combat extremism after tech firm criticism by Theresa May following London attack: Author: Philip Gates; Summary: Jim Killock quoted on the Internet regulation pushing terrorists underground.
2017-06-05-ITV-Internet firms vow to keep working to remove terrorist content: Summary: Jim Killock quoted on the Internet regulation pushing terrorists underground.
2017-06-05-City AM-Theresa May vows 'enough is enough' and proposes crackdown on tech companies in the wake of the London terror attacks: Author: Julian Harris and Lynsey Barber; Summary: Jim Killock quoted on the Internet regulation pushing terrorists underground.
2017-06-05-Silicon-Theresa May’s Criticism Of Tech Companies Is ‘Politically Convenient’: Author: Matthew Broersma; Summary: Jim Killock quoted on the Internet regulation pushing terrorists underground.
2017-06-05-Computer Weekly-Mixed reactions to PM's calls to regulate cyber space to prevent terrorism: Author: Warwick Ashford; Summary: Jim Killock quoted on the Internet regulation pushing terrorists underground.
2017-06-05- The Register-UK PM Theresa May's response to terror attacks 'shortsighted': Author: Rebecca Hill; Summary: Ed Johnson-Williams quoted on the Government’s response to the attacks being shortsighted.
2017-06-06-IT Pro Portal-Theresa May is wrong - we don't need more technology regulation: Author: Michael Moore; Summary: Jim Killock quoted on the Internet regulation pushing terrorists underground.
2017-06-08-New Statesman-The EU wants to give police direct access to tech firms’ servers: Author: Oscar Williams; Summary: Jim Killock quoted on the EU plans to allow law enforcement agencies request data from tech companies should include a judicial process for authorisation and oversight.
2017-06-08-City AM-General Election 2017: Theresa May's chilling assault on the internet serves only to make us more vulnerable: Author: Elliott Haworth; Summary: ORG mentioned in relation to the leaked draft of Technical Capability Notices policy.
2017-06-12-Metro-Theresa May ‘still plans to clamp down on the internet’ – despite losing her majority: Author: Rob Waugh; Summary: Jim Killock quoted on the Internet clampdowns being a distraction from the current political situation.
2017-06-12-The Inquirer-Open Rights Group stamps down Theresa May's continued talk of internet clampdowns: Author: Dave Neal; Summary: Jim Killock quoted on the Internet clampdowns being a distraction from the current political situation.
2017-06-13-The Independent-Theresa May’s Internet clampdown will be a distraction from ‘fragile’ government situation, activists suggest: Author: Andrew Griffin; Summary: Jim Killock quoted on the Internet clampdowns being a distraction from the current political situation.
2017-06-13-Belfast Telegraph-Theresa May, Emmanuel Macron plan to fine technology companies if they don't remove 'objectionable' content from their platforms: Summary: Jim Killock quoted on the Internet clampdowns being a distraction from the current political situation.
2017-06-13-IT Pro-Theresa May set to continue with encryption crackdown: Author: Zach Marzouk; Summary: Jim Killock quoted on the Internet clampdowns being a distraction from the current political situation.
2017-06-13-The Guardian-Watchdog questions need for new counter-terrorism powers: Author: Alan Travis; Summary: Jim Killock quoted on the Internet clampdowns being a distraction from the current political situation.
2017-06-16-The Guardian-Australian push to make decryption easier 'could threaten global internet security': Author: Paul Farrell; Summary: Jim Killock quoted on the Australian notices to companies to modify their products should be regulated to avoid unreasonable demands.
2017-06-19-Business Insider-Google on tackling terrorism: 'We, as an industry, must acknowledge that more needs to be done': Author: Sam Shead; Summary: Jim Killock quoted on the Internet regulation pushing terrorists underground.
2017-06-19-Quartz-The British government knows where terrorists gather on the internet, but it’s not telling: Author: Joon Ian Wong; Summary: ORG mentioned in relation to pointing out that backdoors to encryption as advocated for by Amber Rudd would create greater vulnerabilities.
2017-06-21-Sky News-Digital Charter to 'balance' online freedoms with protections, says Government: Author: Alexander J Martin; Summary: Jim Killock quoted on online companies ought to have as much incentive to protect free speech as they have to remove illegal material.
2017-06-21-Gizmodo-Queen's Speech: Here Are The Government's Tech Plans For The Next Two Years: Author: James O’Malley; Summary: Jim Killock quoted on online companies ought to have as much incentive to protect free speech as they have to remove illegal material.
2017-06-21-Cnet-UK and EU at odds over encryption, fighting terror: Author: Katie Collins; Summary: Jim Killock quoted on the Internet clampdowns being a distraction from the current political situation.
2017-06-21-Cnet-New UK laws could erase your cringey teenage Facebook photos: Author: Richard Trenholm; Summary: Jim Killock quoted on online companies ought to have as much incentive to protect free speech as they have to remove illegal material.
2017-06-23-Wired-Facebook launches Online Civil Courage Initiative to tackle rising extremism in the UK: Author: Victoria Woolaston; Summary: ORG mentioned in relation to the Internet regulation pushing terrorists underground.
2017-06-23-IB Times-Queen's Speech: IT industry reacts to tech pledges: Author: Jason Murdock; Summary: Jim Killock quoted on online companies ought to have as much incentive to protect free speech as they have to remove illegal material.
2017-06-24-Scotsman-Matthew Rice: Devolved voice vital for data security: Author: Matthew Rice; Summary: Op-Ed by Matthew Rice on ORG’s work in Scotland.
2017-06-26-Telecoms Tech News-Australia joins ‘Five Eyes’ partner UK in calls for weaker encryption: Author: Ryan Daws; Summary: ORG mentioned in relation to the leaked draft of the Technical Capability Notices policy.
2017-06-30-The Telegraph-Germany to fine Facebook and YouTube €50m if they fail to delete hate speech: Author: Cara McGoogan; Summary: Ed Johnson-Williams quoted on the new German law to fine social media companies who fail to remove illegal content getting the balance wrong.

ORG Contact Details

Staff page