ORG policy update/2017-w36

This is ORG's Policy Update for the week beginning 04/09/2017.

If you are reading this online, you can also subscribe to the email version or unsubscribe.

ORG’s work

  • Save the date for ORGCon! It will take place on Saturday 4 November at Friends House on Euston Road in London. We have a second smaller event planned on Sunday 5 November in a different location (TBC). This year is all about the Digital Fightback. Confirmed speakers so far are Graham Linehan, Noel Sharkey, Helen Lewis, Jamie Bartlett and Nanjira Sambuli. Tickets will go on sale later so watch out for the email or announcement on Twitter.
  • ORG Scotland’s submitted a response to the Scottish Law Commission's consultation on the Defamation and Malicious Publication (Scotland) Bill 2017. You can read our full submission here.

Planned local group events:

  • Join ORG Birmingham for a workshop on Cybersecurity for ‘real people’ on Monday 25 September. The workshop will offer practical cybersecurity advice that can be applied in a daily life. The workshop is not just for digital geeks!

Official meetings

  • Javier Ruiz attended a meeting with Microsoft, Facebook, Twitter, Google, OADH (Yahoo) and various civil rights organisations regarding international agreements between the US and the UK to give law enforcement agencies direct capabilities for interceptions of communications.

UK Parliament

Parliament is back in session as of this week. MPs have been mostly discussing the European Union (Withdrawal) Bill. No dates have been released yet for the discussion of upcoming digital issues, such as the Data Protection Bill but we will keep you updated when we get them.

UK national developments

Investigatory Powers Commissioner starts work

The Investigatory Powers Commissioner officially began work on 1 September. The Investigatory Powers Commissioner’s Office took over from the Office of Surveillance Commissioner, the Interception of Communications Commissioner’s Office (IOCCO) and the Intelligence Services Commissioner. The new office is led by Lord Justice Fulford.

The IPCO’s team will include inspectors, technical and legal advisers, and scientists on a technology advisory panel.

The Investigatory Powers Commissioner will oversee, among other things, the interception of phone calls, handling of agents, and surveillance powers permitting bulk collection of communications data. The organisations that fall within the IPCO’s remit include GCHQ, MI5, MI6, the National Crime Agency, all police forces, the Serious Fraud Office, HM Revenue and Customs, local authorities, prisons and government departments.

In a recent tweet, the IPCO vowed to “Watch the watchers...”.

Statement of Intent on Data Protection Bill

The Government published a Statement of Intent in August regarding the Data Protection Bill. The statement does not tell us anything we have not heard before about the Bill, it merely reiterates that the Government is committed to strengthening data protection laws.

They intend to do this through the Data Protection Bill which will implement the EU General Data Protection Regulation. The Government previously promised to implement the GDPR in full despite Brexit, hoping to help the UK achieve data adequacy for international data transfers. After Brexit, the UK will need to apply for a data deal with the EU like other third countries do at the moment.

The new data protection rules will include, among other, stronger rights for people to have personal data held on them by companies erased; and changes to consent to data processing which will now have to be expressed in much clearer form.

However, the new data protection law could possibly be altered after Brexit and it is not clear how the Government plans to guarantee these new rights after Brexit.

The Government also announced they do not plan to implement optional powers in EU law that would allow consumer privacy groups to lodge independent data protection complaints in the public interest. Similar rights are already available in consumer rights law.

Prior to the Bill, the Government ran several assessments of cybersecurity in various sectors. Their findings can be found here:

Future partnership paper on exchange and protection of personal data post-Brexit

The Department for Exiting the European Union released a paper on the Government’s plans for post-Brexit partnership regarding sharing of personal data.

The Government pledged to

”work alongside the EU and other international partners to ensure that data protection standards are fit for purpose – both to protect the rights of individuals, but also to allow businesses and public authorities to offer effective services and protect the public.”

The UK plans to explore a UK-EU model for exchanging and protecting personal data, which could build on the existing adequacy model. Furthermore, the UK hopes to enable the national Information Commissioner’s Office (ICO) and partner EU regulators to maintain effective regulatory cooperation and dialogue for the benefit of those living and working in the UK and the EU after the UK’s withdrawal.

New guidance for vehicle cybersecurity published

The Government published a new guidance for cybersecurity for connected and automated vehicles. The guidance includes principles which should apply to designers, engineers, suppliers and senior level executives.

Eight basic principles of cybersecurity in connected and automated vehicles:

1. organisational security is owned, governed and promoted at board level

2. security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain

3. organisations need product aftercare and incident response to ensure systems are secure over their lifetime

4. all organisations, including sub-contractors, suppliers and potential 3rd parties, work together to enhance the security of the system

5. systems are designed using a defence-in-depth approach

6. the security of all software is managed throughout its lifetime

7. the storage and transmission of data is secure and can be controlled

8. the system is designed to be resilient to attacks and respond appropriately when its defences or sensors fail.

More detailed principles can be found here.

Police use facial recognition at Notting Hill Carnival

Metropolitan Police used facial recognition technology during the Notting Hill Carnival in London in August. The authorities used the technology to flag up suspects against a database of custody images; however, the facial recognition technologies are known to have racial accuracy biases where some software is likely to misidentify black people and women.

This is a particularly serious issue at a festival which celebrates African and Caribbean cultures. A group of various organisations (including ORG) signed onto a letter addressed to Cressida Dick, the Met Police Commissioner, asking them to ban the use of facial recognition cameras:

  • There is no legal basis for the use of facial recognition in public spaces.
  • There is no statutory oversight for the technology to be used by police. It is not within the remit of the Surveillance Camera Commissioner, Biometrics Commissioner or Information Commissioner at the moment.
  • The Met Police have not been transparent about the use of facial recognition - it is not clear how the images are captured and stored, retention periods or circumstances for deletion.

Crown Prosecution Service announced a new policy of parity between online and offline hate crime

Last month, Alison Saunders, the Director of Public Prosecutions, announced plans for more prosecutions and increased sentences for online abusers.

Under the new rules, the Crown Prosecution Service (CPS) will seek stiffer penalties for abuse on social media sites - these should reflect a parity between the treatment of online hate crime and similar offences carried out face-to-face.

The new policy documents cover different strands of hate crime: racist and religious; disability; and homophobic, biphobic and transphobic.

The CPS policy is well intentioned, however, there are several challenges prosecutors will face. Some offences employ highly subjective terms like “grossly offensive” and “obscene” which could have a chilling effect on free speech if interpreted strictly.

Moreover, it is likely that the CPS’s intent to crack down on hate crime on social media may be hampered by the High Evidential Threshold test introduced by Keir Starmer which was specifically designed to reduce the number of cases that would reach Court.


EU states raised concerns over upload filters and breach of human rights

A leaked note (pdf) revealed that several EU member states are concerned about proposals included in the Copyright Directive for mandatory upload filters.

The European Commission plans to modernise the EU law on copyright. The new version (Article 13) would require Internet service providers to monitor and filter content infringing copyright.

The upload filter narrative expressed in Article 13 of the reformed copyright text was previously criticised by digital activists (including ORG) and legal experts. The mandatory filters are likely to be in breach of human rights and established EU case law.

According to the leaked note, six EU Member States hold a similar opinion. Belgium, Czech Republic, Finland, Hungary, Ireland and the Netherlands requested clarification from the Council Legal Service on proportionality and compatibility of the new clauses with the existing law.

The Member States claim that the upload filters might interfere with freedom of expression and information, the right to protection of personal data, and freedom to conduct a business.

The questions are expected to be orally deliberated during the next working group on 11-12 September.

ORG media coverage

See ORG Press Coverage for full details.

2017-08-01-IoT Tech News-Editorial: EU regulations put AI startups at risk of being left behind
Author: Ryan Daws
Summary: Jim Killock quoted on the Commission’s proposals for copyright harmonisation in the EU being set to fail.
Topics: Copyright, European Union
2017-08-09-BBC-Tracking terrorists online might ivade your privacy
Author: Peter Ray Allison
Summary: ORG mentioned in relation to the leaked technical capability notices consultation.
Topics: Investigatory Powers Act 2016, Privacy
2017-08-10-Alphr-The Snoopers' Charter: What is the Investigatory Powers Act and how does it affect me?
Author: Thomas McMullan
Summary: Alec Muffett quoted on the money being better spent on human means of investigating rather than on combatting secure communication across the Internet.
Topics: Encryption, Security, Investigatory Powers Act 2016
2017-08-16-IB Times-Police to use 'racist' face-scanning tech at Notting Hill Carnival 2017
Author: Jason Murdock
Summary: ORG mentioned as one of the signatories on the letter to the Metropolitan Police asking to ban facial recognition cameras from Notting Hill Carnival.
Topics: Biometrics, Privacy
2017-08-18-Telegraph-New regulations to change how advertisers use our data
Author: Rob Waugh
Summary: Ed Johnson-Williams quoted on people being aware of companies gathering, storing and selling vast amounts of their data.
Topics: Data protection, Privacy
2017-08-18-Lexology-The Data Protection Bill: a statement of intent
Author: Cameron McKenna, Nabarro Olswang
Summary: ORG mentioned in relation to the document listing derogations for the General Data Protection Regulation.
Topics: Data protection
2018-08-21-The Inquirer-UK Crown Prosecution Service launches crackdown on online hate speech
Author: Dave Neal
Summary: Myles Jackman quoted on the Crown Prosecution Service guidelines on hate crimes on social media being incredibly clumsy.
Topics: Online censorship
2017-08-22-The Sun-ANTISOCIAL MEDIA: Twitter users could be arrested for ‘unfriendly’ tweets as part of the CPS’s clumsy crackdown on hate crime
Author: Tom Wells
Summary: Myles Jackman quoted on the Crown Prosecution Service guidelines on hate crimes on social media being incredibly clumsy.
Topics: Online censorship
2017-08-22-The Guardian-UK considers internet ombudsman to deal with abuse complaints
Author: Owen Bowcott, Samuel Gibbs
Summary: Myles Jackman quoted saying that Internet companies should not be paying for policing their customers’ behaviour despite their big profits.
Topics: Online censorship
2017-08-22-Digit-Smile! You’re On Camera… Forever?
Author: Andrew Hamilton
Summary: ORG mentioned as one of the signatories on the letter to the Metropolitan Police asking to ban facial recognition cameras from Notting Hill Carnival.
Topics: Biometrics, Privacy
2017-08-24-IB Times-UK police database has 20 million citizen face scans - and no-one knows if it even works
Author: Jason Murdock
Summary: ORG quoted on wanting more transparency about the circumstances in which images captured by facial recognition cameras at Notting Hill Carnival are held, stored and deleted.
Topics: Biometrics, Privacy
2017-08-25-Times and Star-Barriers to help protect Notting Hill Carnival from Barcelona-style threat
Summary: ORG mentioned in relation to our calls to ban facial recognition camera at Notting Hill Carnival.
Topics: Biometrics, Privacy
2017-08-29-The Register-So thoughtful. Uber says it won't track you after you leave their vehicles
Author: Andrew Silver
Summary: ORG quoted on Uber’s removal of post journey tracking being welcome.
Topics: Surveillance, Data protection
2017-08-30-The Canary-The Tories have just been caught snooping on our social media at a horrifying rate
Author: Steve Topple
Summary: Jim Killock quoted on the Investigatory Powers Act being one of the most extreme surveillance laws passed in a democracy.
Topics: Investigatory Powers Act 2016, Surveillance, Privacy
2017-09-05-The Guardian-Romanian whose messages were read by employer 'had privacy breached'
Author: Owen Bowcott, Kevin Rawlinson
Summary: Pam Cowburn quoted welcoming the ECtHR’s ruling that will force employers to give more explicit warnings to staff if they want to monitor Internet use in the Barbulescu case.
Topics: Data protection, Surveillance
2017-09-05-IT Pro-Should the internet be regulated?
Author: Zach Marzouk
Summary: ORG mentioned in relation to campaigning on several provision in the Digital Economy Act regulating Internet.
2017-09-05-The Scottish Sun-JEEPERS SNOOPERS: Scots cops snoop on 36,000 mobile phones and almost 17,000 computers in three years, shock stats show
Author: Robert Collins
Summary: Jim Killock quoted saying that Police Scotland should not be able to able to analyse mobile phones without a warrant.
Topics: Surveillance
2017-09-05-Hi-Tech Facts-You can't snoop on your employees' email, court tells employers
Author: Rachel Hardy
Summary: Pam Cowburn quoted welcoming the ECtHR’s ruling that will force employers to give more explicit warnings to staff if they want to monitor Internet use in the Barbulescu case.
Topics: Surveillance

ORG Contact Details

Staff page