ORG policy update/2017-w27

This is ORG's Policy Update for the week beginning 03/07/2017.

If you are reading this online, you can also subscribe to the email version or unsubscribe.

ORG’s work

  • ORG joined other signatories on a letter addressed to the leaders of the Five Eyes agreement responsible for the Security Community. A group of 83 organisations and individuals asked the five countries to rethink their stance on encryption and regulation of communication companies.

Planned local group events:

  • Join ORG Cambridge for a group outing on 11 July to see 'Risk', and to discuss Wikileaks, Assange and digital rights afterwards in the bar.
  • Come and meet new Scotland Director on 11 July and reconnect with ORG Edinburgh members, or come meet some for the very first time if you've never attended.
  • Come along to ORG Leeds' privacy workshop on 12 July and learn how to protect yourself from mass surveillance and online crime.
  • Come and meet new Scotland Director on 13 July and reconnect with ORG Aberdeen members, or come meet some for the very first time if you've never attended.
  • Join ORG Birmingham for a workshop where we'll be offering free practical advice for replacing (or at least supplementing) Google services with independent services which do a better job of respecting your privacy and reduce your dependence on the internet giant. They will be meeting on 24 July.

Official meetings

UK national developments

Letter to the Five Eyes countries asking not to tinker with encryption

An international group of 83 organisations and individuals (including ORG) signed a letter addressed to the countries of the Five Eyes agreement between UK, US, Canada, Australia and New Zealand to oppose recent calls to change the rules of the use of encryption by communications and Internet companies.

The letter was responding to the reports of the Five Eyes meeting taking place last week that planned to press technology firms to share encrypted data with security agencies. It was sent to the leaders of the five countries responsible for the Five Eyes Security Community.

The letter states:

”Last year, many of us joined several hundred leading civil society organisations, companies, and prominent individuals calling on world leaders to protect the development of strong cryptography. This protection demands an unequivocal rejection of laws, policies, or other mandates or practices—including secret agreements with companies—that limit access to or undermine encryption and other secure communications tools and technologies.

"Today, we reiterate that call with renewed urgency. We ask you to protect the security of your citizens, your economies, and your governments by supporting the development and use of secure communications tools and technologies, by rejecting policies that would prevent or undermine the use of strong encryption, and by urging other world leaders to do the same."

Liberty can challenge bulk powers in the IPAct

The UK High Court granted a permission to the human rights organisation Liberty to challenge parts of the Investigatory Powers Act 2016 relevant to bulk powers.

Among other powers the Act allows the UK law enforcement agencies and other public agencies to access, collect or retain bulk personal and communications data. The European Court of Justice (CJEU) ruled in a landmark case brought forward by Tom Watson MP (and David Davis MP who dropped his name from the case after he became the Minister for Brexit) in December 2016 that access to retained data must only be given in serious crime on a targeted basis when authorised by an independent authority and data should not be retained in bulk on the whole population.

Liberty was granted permission to challenge three powers outlined in the Act that grant the security services' widespread surveillance abilities: the permission to hack into computers, the mass interception and collection of communications data, and the acquisition of personal data sets from companies and organisations. The High Court also allowed Liberty to seek permission to challenge other parts of the act once the Government publishes other codes of practice, or by March 2018 at the latest.

The case will more forward if the group’s application for a cost-capping order is approved. Then the case will be listed for a full hearing in due course.

ICO ruled that the Royal Free NHS Foundation Trust failed to comply with the DPA

The Information Commissioner’s Office (ICO) ruled that the Royal Free NHS Foundation Trust in London did not comply with the Data Protection Act when it supplied data of 1.6 million patients’ data to Google’s DeepMind.

The two organisations partnered up to create the healthcare app Streams - an alert, diagnosis, and detection tool for acute kidney injury. The Royal Free provided the data as part of a trial to test the app.

The Information Commissioner, Elizabeth Denham, said that the

”investigation found a number of shortcomings in the way patient records were shared for this trial. Patients would not have reasonably expected their information to have been used in this way, and the Trust could and should have been far more transparent with patients as to what was happening.”

The ICO asked the Trust to:

  • establish a proper legal basis under the Data Protection Act for any future trials led by DeepMind;
  • set out how they will comply with the duty of confidence to patients;
  • complete a privacy impact assessment;
  • commission an audit of the trial and share the audit’s results with the Information Commissioner.

The Commissioner did not address the continued use of data by DeepMind.

The company said in a blog post:

“We were almost exclusively focused on building tools that nurses and doctors wanted, and thought of our work as technology for clinicians rather than something that needed to be accountable to and shaped by patients, the public and the NHS as a whole. We got that wrong, and we need to do better.”

DeepMind also outlined what changes they have made following the criticism of their conduct. They announced that they:

  • replaced the contract with the Royal Free with a more comprehensive one in 2016,
  • have published the contracts for subsequent NHS partnerships,
  • created a patient and public engagement strategy, and
  • appointed nine independent reviewers of their work.

DCMS set up the Digital Economy Council

The Department for Digital, Culture, Media and Sport (the Department has been renamed this week to include ‘digital’) launched the Digital Economy Council as part of implementing the UK Digital Strategy.

The Council has been set up to provide a forum for collaboration between the Government and leading industry actors in order to implement the Digital Strategy. Members of the Council include TechUK, Google, Facebook, Cisco, Dotforge, Coadec, TV Squared, BT and Apple.

The Council is set to promote the seven pillars of the Digital Strategy.

The Secretary Karen Bradley chaired the first meeting on 3 July. Minutes of the meeting have not been made available to the public at the time of writing.

ICO wants to become a global data protection gateway

The Information Commissioner’s Office published their first International Strategy. The aim of the strategy is to aid in meeting overseas data protection challenges between 2017 and 2021.

The strategy identified four main international challenges:

  • To operate as an effective and influential data protection authority at European level while the UK remains a member of the EU and when the UK has left the EU, or during any transitional period.
  • Maximising the ICO’s relevance and delivery against its objectives in an increasingly globalised world with the rapid growth of online technologies.
  • Ensuring that UK data protection law and practice is a benchmark for high global standards.
  • Addressing the uncertainty of the legal protections for international data flows to and from the EU, and beyond, including adequacy.

The ICO intends to become a global data protection gateway. This would involve establishing the UK as a country with a high standard of data protection legislation that can be interoperable with other countries’ data protection regimes applied to data flows. The ICO will work to develop new codes of conduct and certification under the EU General Data Protection Regulation and new mechanisms for international transfers.

The International Strategy complements the ICO’s new Information Rights Strategic Plan. The plan outlines the ICO’s intentions to increase the public’s trust in how data is used and shared and improving standards through engagement and influence in the UK and abroad.

Terror watchdog likened Theresa May’s plans for fines to the practices of China

The Independent Reviewer of Terrorism Legislation Max Hill QC delivered a speech at the Terrorism and Social Media Conference in Swansea this week where he made comments on the narrative Theresa May uses in regards to Internet companies tackling the presence of extremist materials on their platforms.

Hill said

”I struggle to see how it would help if our parliament were to criminalise tech company bosses who ‘don’t do enough’. How do we measure ‘enough’? What is the appropriate sanction? … We do not live in China, where the internet simply goes dark for millions when government so decides. Our democratic society cannot be treated that way.”

May previously considered fining companies if they fail to remove extremist propaganda and terrorist material from their platforms. Companies such as Facebook, YouTube or Twitter would be likely to be subject to fines. Just last week Germany passed a law that would allow them to fine social media and Internet companies if they fail to remove inappropriate content within 24 hours.

The Government is at the moment engaging with industry on a voluntary basis. Google, Facebook, Microsoft and Twitter jointly with the Government launched the Global Internet Forum to Counter Terrorism.

The Government, however, has not ruled out legislating on the issue of content removal if the companies fail to develop systems to effectively remove extremist content from their platforms.


Inquiry into the police retention of mugshots

The Scottish Government announced an independent review into the use of biometric data and facial images to investigate the crime.

The review will be carried out by an independent advisory group led by John Scott QC. The group will consider human rights and ethical implications of how the date is captured, used, stored and disposed of.

The review follows the publication of a report by HM Inspectorate of Constabulary in Scotland (HMICS). The report called for the consideration of legislation governing the retention of photographic images and the establishment of an independent commissioner and a new statutory code of practice on the use of biometric data.

The report highlighted that there is no statutory framework in Scotland regulating how the police use or retain photographic images. Most images are kept for at least six years, but those facial custody images related to more serious offences could be retained for up to 12 years.

The members of the group will include representatives from Police Scotland, the Scottish Police Authority, HM Inspectorate of Constabulary in Scotland (HMICS), the Crown Office and Procurator Fiscal Service, the Scottish Human Rights Commission and the Information Commissioner’s Office, experts from academia and the research community.

The group is expected to deliver the review by the end of the year.


Parliament wants rules to make products easier to repair

The members of the European Parliament approved recommendations for hardware companies to make their products easier to repair.

The Parliament called on to the European Commission, Member States and producers to adopt the recommendations to make their products durable, of high quality and make it possible to repair and upgrade them.

The recommendations include:

  • robust, easily repairable and good quality products: "minimum resistance criteria" to be established for each product category from the design stage,
  • if a repair takes longer than a month, the guarantee should be extended to match the repair time,
  • member states should give incentives to produce durable and repairable products, boosting repairs and second-hand sales - this could help to create jobs and reduce waste,
  • consumers should have the option of going to an independent repairer: technical, safety or software solutions which prevent repairs from being performed, other than by approved firms or bodies, should be discouraged,
  • essential components, such as batteries and LEDs, should not be fixed into products, unless for safety reasons,
  • spare parts which are indispensable for the proper and safe functioning of the goods should be made available "at a price commensurate with the nature and lifetime of the product",
  • an EU-wide definition of "planned obsolescence" and a system that could test and detect the "built-in obsolescence" should be introduced, as well as "appropriate dissuasive measures for producers".

The European Parliament also asked the Commission to consider creating a voluntary European label that would list a product's durability, upgradability, and environmental sustainability.

The European Commission has not announced yet whether they will put the recommendations up for a vote. If they decide to do so and the recommendations pass, they are likely to become a law.

The Parliament’s initiative mirrors efforts of groups like Repair Association and iFixit who have been advocating for replacement parts to be sold and repair guides to be made available to consumers and independent repair companies.

New EU Digital Commissioner

Mariya Gabriel was confirmed as the new EU Digital Commissioner. She will take the post previously occupied by Gunther Oettinger who left in January.

Gabriel’s candidacy was approved by MEPs during the Parliament’s plenary session with 517 votes in favour, 77 against and 89 abstentions. National governments are to approve the candidacy next.

She previously worked on security and foreign policy. Gabriel’s more detailed portfolio can be found here.

The new Digital Commissioner should start her job the week of 10 July.

UK Parliament questions

Question on extremism

During the oral questions on extremism, Keith Vaz MP asked the Home Secretary, when the Government intend to introduce legislation similar to the legislation introduced in Germany, allowing to fine social media companies up to £43 million for failing to take down illegal videos.

Sarah Newton MP responded that the Government are taking action by leading the international efforts to make sure that online platforms take their responsibilities seriously. The Government is considering all available options to make sure that extremist material on the Internet is stopped as soon as possible.

Statement from the Home Secretary on removing counter-terrorism online

Amber Rudd MP made a statement regarding the Government’s policy about removing counter-terrorism online.

Rudd said that the UK secured support from the countries of the Five Eyes agreement - Australia, New Zealand and the US for the campaign to take terrorist material offline. She plans to travel to the US to continue discussions with major tech companies to see what progress they are making on the newly announced global industry forum to tackle the terrorist use of the Internet.

Question on radicalism

Stephen Doughty asked the Secretary of State for the Home Department, what discussions they have had with social media and technology companies on tackling online extremism.

Ben Wallace MP responded that the Department continues to work closely with industry to create new innovative ways to tackle the terrorist use of the Internet. They have also engaged with partners on the international level to push the industry to take a more proactive approach.

Question on data protection and Brexit

Hilary Benn MP asked the Secretary of State for Exiting the European Union, whether they have had the discussions with EU negotiators regarding the need for data adequacy decision when the UK leaves the EU.

Robin Walker MP responded that the UK’s future data sharing relationship with the EU will be one of a wide range of issues that need to be discussed with the EU.

Walker said that incorporating the General Data Protection Regulation into UK law will be the foundation of UK’s data protection legislative framework. The Government aims to provide a high level of data protection once the UK leaves the EU.

Question on cyber specialists in armed forces

Louise Haigh asked the Secretary of State for Defence, how many cyber specialists are employed by the armed forces.

Mark Lancaster MP responded that they are significantly growing the number of dedicated cyber experts to deliver cyber operations. His response did not answer Haigh’s question on how many cyber specialists there are employed by the armed forces.

Question on cyber bullying

Stewart McDonald asked the Secretary of State for Digital, Culture, Media and Sport, what steps the Department has been taking to ensure social media companies tackle cyber bullying.

Matthew Hancock MP responded that the Government expects social media companies to have robust processes in place and to act promptly when all forms of abuse are reported. They are continuing to work closely with industry, charities, schools and parents to tackle the issue.

Question on extremism

Liam Byrne asked the Secretary of State for Home the Department, what plans she has to introduce legislation on technology companies preventing the publication of extremist material.

Ben Wallace MP responded that tech and social media companies (Facebook, Twitter, Google and Microsoft) made a public commitment to through a forum on tackling terrorist and extremist content online. Wallace said that the Prime Minister made it clear that the Government will also explore the possibility of creating legal requirements for communications service providers if they fail to take necessary steps to take action to remove extremist content.

Question on anti-hacking policy

Chi Onwurah MP asked the Minister for the Cabinet Office, whether the Government plans to implement a policy to prevent hackers from accessing and altering data used to inform government decisions.

Caroline Nokes MP responded that the Security Policy Framework sets out the mandatory expectations of how Government organisations must secure their data, including appropriate controls to protect against hackers and other cyber threats.

Question on XP machines

Chi Onwurah MP asked the Minister for the Cabinet Office, what the prevalence of “XP machines” is in the Government estate, the public sector and the private sector and what she is doing to reduce it.

Caroline Nokes responded that they have made a good progress on dramatically reducing the number of devices running an XP operation system in the Government cyber-estate. The National Cyber Security Center is leading on the issue and is coordinating work across government.

Question on the NHS hack attack

Meg Hillier MP asked the Minister for the Cabinet Office, whether they are willing to reconsider recommendations made by the Public Accounts Committee who found that large organisations are not clear on where to seek help in case of a cyber attack. The Cabinet Office rejected the recommendation to set out a detailed plan for how the National Cyber Security Centre will enable those under attack to get help.

Caroline Noakes responded that they have funded a substantial national cyber-security programme, which goes alongside expertise from the National Cyber Security Centre. The programme is directed specifically towards improving the cyber-security of Government and the wider public sector.

Debate on data flows and Brexit

During the Parliament’s debate on exiting the European Union and global trade, Barry Gardiner, the Shadow Secretary of State for International Trade, raised the issue of international data flow and its regulatory framework.

Gardiner recognised cross-border data flow as crucial to the digital economy and pointed out that setting up the regulatory framework to provide data protection for privacy and human rights is very complex.

He asked the Minister, Liam Fox MP, to set out what discussions he has had with industry on setting up separate trade policies for EU and non-EU countries on cross-border data flows and where the industry actors stand on the issue.

Fox did not directly respond to Gardiner’s comments during the debate.

ORG media coverage

See ORG Press Coverage for full details.

2017-06-30-New Statesman-Germany’s €50m fines for social media companies threaten freedom of speech, experts warn
Author: Oscar Williams
Summary: Ed Johnson-Williams quoted on the new German law to fine social media companies who fail to remove illegal content getting the balance wrong.
2017-06-30-The Inquirer-Rights groups want the 'Five Eyes' countries to blink off with their anti-encryption plans
Author: Dave Neal
Summary: Jim Killock quoted on political leaders putting people at risk of crime when calling for powers to weaken digital security.
2017-07-06-Red Flag-Weakening encryption is an attack on our freedom
Author: Michael Kandelaars
Summary: Jim Killock quoted on security experts being as united against encryption weakening as scientists are on climate change.

ORG Contact Details

Staff page