ORG policy update/2017-w28

This is ORG's Policy Update for the week beginning 10/07/2017.

If you are reading this online, you can also subscribe to the email version or unsubscribe.

ORG’s work

Planned local group events:

  • Join ORG Birmingham for a workshop where we'll be offering free practical advice for replacing (or at least supplementing) Google services with independent services which do a better job of respecting your privacy and reduce your dependence on the internet giant. They will be meeting on 24 July.
  • Join ORG Cambridge for their monthly meetup to discuss the current state of digital rights, what the group has done in the past month, and what they are planning to do in the upcoming months.

National developments

Government’s response on cyber security and data

The Government announced that hospitals will receive additional funding of £21 million to improve their cyber security following the massive hack in May 2017 that made it impossible for hospitals to access patients’ data.

The WannaCry attack in May exploited a vulnerability in Windows XP used by UK hospitals and disabled access to computers.

The Government accepted recommendations made by the National Data Guardian for Health and Care in her Review of Data Security, Consent and Opt-outs and Care Quality Commission Review.

Dame Fiona Caldicott, the National Data Guardian, proposed new data security standards in her review, as well as a method for testing compliance with the standards, and an opt-out to make clear how people’s health and care information will be used and when they can opt out.

In their response to the NDG and the Care Quality Commission reviews, the Government states that they accept their recommendations. The response states that

”’Your Data: Better Security, Better Choice, Better Care’ announces that, to strengthen the safeguarding of information, the National Data Guardian’s position will be put on a statutory footing and stronger sanctions will be introduced by May 2018 to protect anonymised data, including severe penalties for negligent or deliberate re-identification of individuals.”

The recommendations include stronger sanctions to protect anonymised data, a new consent/opt-out model to allow people to opt out of their personal con dential data being used for purposes beyond their direct care, demonstrating clear ownership and responsibility for data security and providing evidence that health and social care organisation are taking action to improve cyber security.

The funding allocated to the NHS will be used to broadcast alerts to warn hospitals about threats to cybersecurity, creating a hotline to deal with incidents of breached cyber security and carrying out an onsite assessment to examine readiness to avert the attack.


LIBE’s report called on the Member States to share their plans for accessing encrypted data

The European Parliament’s Committee on Civil Liberties (LIBE) voted for a report advocating for the Member States to exchange best practices for “circumventing” encryption and to put more resources into the protection of critical infrastructure such as transport and energy networks from cyber attacks. The report was passed with 54 votes in favour, 4 against and 2 abstentions.

The draft report, written by Elissavet Vozemberg-Vrionidi, is not binding but is likely to be part of the European Commission’s proposal for a new cyber security strategy this autumn.

The report made recommendations for:

  • prevention of cybercrime,
  • strengthening police and judicial cooperation,
  • enhancing responsibility and liability of service providers,
  • cooperation between law enforcement and private sector in obtaining electronic evidence,
  • EU agencies to share and contribute their expertise to the Member States, and
  • improvement of cooperation with third countries.

Vozemberg-Vrionidi acknowledged in the report

”that technological advances in encryption allow legitimate users to better protect their data, but points out that malicious users deploy the same techniques to conceal their criminal activities and identities”

The recommendations ask the Member States to share any plans they have for accessing encrypted data and to promote the use of security measures such as encryption.

The report does not call for creating legal access by eroding encryption. German Green MEP Jan Philipp Albrecht said

“this doesn’t mean you need to circumvent encryption by technological means or get the legal instruments to do that. It means you have to discuss the question of how proportionate it is that if you get into one person’s device, you weaken the whole infrastructure.”

The LIBE’s stance on encryption in their newest report on the fight against cybercrime is in line with the Committee’s previous report on the e-Privacy Regulation. The report stated that

”when encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited.”

Both reports are to be discussed by the European Parliament in autumn 2017. If adopted, they will be further discussed with the Council and Commission.

EP Committees voted for link tax and upload filter

Two Committees of the European Parliament - Culture and Education (CULT) and Industry, Research and Energy (ITRE), voted on their opinions on European Commission’s proposals for the Copyright Directive (pdf).

The Committees voted for the proposals that would prevent big Internet companies, such as Google or Facebook, from indexing news stories and using snippets for their descriptions. According to the proposals, they would require a permission from publishers and, potentially, would need to pay a fee.

The measure that was previously named as “link tax” is likely to have a negative impact on news publishing. Similar plans in Spain and Germany already proved to be disadvantageous to the news publishers.

The Committee for Culture and Education agreed to a “compromise amendment” regarding Article 13 that would require information society service providers that store or provide access to content uploaded by their users to enter into a licensing agreement with rights holders. Additionally, the compromise amendment also requires implementation of the upload filter, which would remove uploads as copyrighted material.

This amendment would make it impossible for people to upload legally obtained material onto any European cloud service. They would need to either install filters to block the uploading of copyrighted material or pay license fees for any copyrighted material that was uploaded.

The Committee on Industry, Research and Economy (ITRE) made changes in their opinion to Article 11 on the upload filter. Their opinion removed the reference to “content recognition technologies” without which the upload filter could not function. However, the Committee did not amend the Commission’s proposal where they suggest measures to prevent the availability of copyrighted works. This could be understood as preventive filtering.

The two opinions from the Committees are supposed to the final discussions in the main Committee on Legal Affairs (JURI). JURI will vote on the matter in autumn 2017.

International developments

Online protest to save the net neutrality rules in the US

Some of the biggest Internet companies (Amazon, Facebook, Google, Netflix, Reddit etc.) and advocacy groups took part in an online protest to highlight effects of changes to net neutrality regulation in the US. Many websites changed their homepages to show what it would look like if the new rules from the Federal Communications Commission(FCC) were already in place.

The protest also encouraged people to submit their comments in support of net neutrality to the FCC. Comments to the Commission can still be submitted here.

The FCC announced their plans to reverse the rules on net neutrality put in place during the Obama administration. The current net neutrality rules forbid ISPs from blocking or throttling lawful Internet content or prioritising content in exchange for payment.

In practice the change of rules could cause not payment-prioritised websites to load slowly. Users are likely to switch to another website that loads quickly or is offered on zero-rating as part of another service. Lack of net neutrality could also result in difficulties watching video content online because ISPs will be allowed to limits streaming video bandwidth within its network.

Revoking net neutrality rules will have a negative effect on consumer rights and in many cases will affect freedom of expression.

The situation in the UK is different due to the net neutrality regulation from the EU. You can read more on the post-Brexit situation here.

Russia passed a law to forbid the use of censorship-circumventing software

The State Duma, Russia’s lower house of the Federal Assembly, unanimously voted for legislation banning the use of VPNs and the Tor browser if they do not block access to a government-specified list of websites.

The Bill was overwhelmingly supported during its first reading and has not become a law yet. Duma representatives claimed that the law is necessary because the current censorship system is not performing sufficiently well.

The list of prohibited websites is likely to include any sites that offer software making it possible to circumvent censorship. The law will also require search engines to remove references to the blocked sites completely, making it impossible for people to see the full results and what websites are blocked.

UK Parliament questions

Question on ransomware attack

Louise Haigh asked the Secretary of State for the Home Department, what information the Department has on whether the ransomware virus that started affecting computers on 27 June 2017 is able to bypass the patch released by Microsoft for all platforms from Windows XP to Windows 10.

Ben Wallace MP responded that the National Cyber Security Centre is monitoring the situation closely and providing advice to the public and businesses.

Question on Europol

Stephen Timms asked the Secretary of State for the Home Department, whether they have assessed the effects of the potential loss of access to Europol's Terrorism Situation and Trend Report system on the UK's ability to tackle cyber crime.

Ben Wallace MP responded that the Government is clear that effective cooperation with the EU Member States on security, justice and policing in order to tackle serious organised crime will continue to be a top UK priority. He added that the Government will continue to invest in law enforcement capabilities to ensure delivery agencies have the capacity to deal with the increasing volume and sophistication of cybercrime.

Question on resources allocated to cybercrime

Chi Onwurah MP asked the Minister of State for the Cabinet Office, what assessment of spending on cyber security they have made in the public and private sectors and how much resources has each sector allocated to the issue.

Caroline Nokes responded that the National Cyber Security Centre is supported by £1.9 billion. This funding is part of the total resources and spend on cyber security across the public sector, complementing private sector investment. The Department has not made any comparative assessment of the resources or spend allocated to cyber security in the public and private sectors.

Question on intellectual property and social media

Chris Elmore asked the Secretary of State for Business, Energy and Industrial Strategy, what assessment they have made of the extent of the infringement of intellectual property through social media.

Jo Johnson MP responded that the Intellectual Property Office has commissioned independent research into the role that social media plays in directing consumers to physical counterfeit goods.

Johnson explained that the research how social media plays in the sale and distribution of counterfeited and pirated physical goods from six representative sectors: alcohol, cigarettes, clothing, footwear, perfume and watches.

Question on EU Internet Referral Unit

David Hanson asked the Secretary of State for the Home Department, how many referrals to the EU Internet Referral Unit have been made and how many of those have led to the deletion of Internet content in each year since 2015.

Ben Wallace MP responded that social media providers have removed over 270,000 pieces of terrorist-related material since February 2010 following referrals from the police Counter Terrorism Internet Referral Unit (CTIRU). In 2016, CTIRU secured the removal of over 8,000 pieces of terrorist content a month.

European Union Internet Referral Unit (EU IRU) has referred over 30,000 pieces of content and successfully secured the removal of over 80% of this content since its inception in 2015.

Question on the Data Ethics Commission

Baroness Harding of Winscombe asked the Government, what plans they have to set up a Data Ethics Commission.

Lord Ashton of Hyde responded that the Government will be more specific about the timing when they have consulted various groups that will be set up or have been set up. He continued that they will be considering various reports, particularly the Royal Society and British Academy report.

Question on ownership of personal data

Chi Onwurah MP asked the Secretary of State for Digital, Culture, Media and Sport, what regulations govern how personal data is used by political parties and other organisations.

Matthew Hancock MP responded that consumers’ personal data is protected by the Data Protection Act 1998. Organisations that process personal data and use it to make marketing communications are regulated by the Privacy and Electronic Communications Regulations 2003 (PECR).

Question on an adequacy agreement and data flows

Chi Onwurah MP asked the Secretary of State for Digital, Culture, Media and Sport, what plans they have to increase citizens' ownership and control of personal data.

Matthew Hancock MP responded that the Government intends to bring forward the Data Protection Bill. The Bill will introduce measures that will strengthen rights of individuals to control their personal data.

Question on children’s online safety

Ben Lake asked the Secretary of State for Digital, Culture, Media and Sport, what assessment they have made of the safety of children who play interactional games online with strangers.

Matthew Hancock MP responded that they have started work on the DCMS-led cross-government internet safety strategy which will give the Department the opportunity to consider issues of online safety for children and young people, including gaming. The Government is considering how this will be taken forward under the Digital Charter.

Question on privacy and Snapchat

Anna Turley asked the Secretary of State for Digital, Culture and Sport, what recent discussions they have had with the Information Commissioner's Office on the data protection and privacy implications of the Snap Map feature available to users of the Snapchat service, and if they are going to engage in conversations with Snap Inc. about the data protection and privacy implications of the Snap Map feature.

Matthew Hancock MP responded that the Information Commissioner’s Office has the prime responsibility for the protection of personal data and the right to privacy. The Government have discussed Snap Map with the ICO.

ORG media coverage

See ORG Press Coverage for full details.

2017-07-12-Motherboard-Europe Is Moving Closer to Forcing Google to Pay for News Summaries
Author: Ben Sullivan
Summary: Jim Killock quoted on the Copyright Directive proposals having a negative impact on news publishing.
2017-07-12-Sky News-Net neutrality: Should UK citizens be worried about US changes?
Author: Alexander J Martin
Summary: Ed Johnson-Williams quoted on the EU’s net neutrality protection rules being some of the strongest net neutrality protections in the world.

ORG Contact Details

Staff page