ORG policy update/2018-w12

This is ORG's Policy Update for the week beginning 19/03/2018.

If you are reading this online, you can also subscribe to the email version or unsubscribe.

ORG’s work

  • ORG are fundraising to recruit more permanent members of our legal team. Join ORG today to help out!
  • ORG is running a petition against the Government’s misguided proposals threatening fines for internet companies who do not rapidly censor extremist material shared on their platforms. Sign the petition here!
  • ORG have launched an open call for ideas to develop a tool for consumers to enjoy their stronger rights under GDPR. This is a joint project with Projects by IF, funded through a grant from the Information Commissioner Office.

Official meetings

  • Jim Killock attended meetings with Andy Goodman of Bangor University, and David Gilliam of the Welsh Green Party, to discuss electronic voting.
  • Jim Killock also hosted presentations at Bangor University and Aberystwyth University about the issue of electronic voting.
  • Slavka Bielikova attended a Copyright Action Day in Brussels organised by C4C.
  • Javier Ruiz participated in several research workshops in Amsterdam as part of our VIRTEU project, together with colleagues from the Copenhagen Institute for Interaction and Design (CIID) and the IT University of Copenhagen (ITU).

UK Parliament

Labour MPs table amendment to DP Bill requiring development of a code of practice for ANPR

The Data Protection Bill Committee stage in the House of Commons continued this week on 20 (1, 2) and 22 (1, 2) March. The Committee discussed a code on processing personal data in education, personal data ethics advisory board and ethics code of practice, bill of Data Rights in the Digital Environment and review of Electronic Commerce (EC Directive) Regulations.

During this week's proceedings, Labour MPs tabled an amendment to the Bill that would require the Secretary of State to issue a code of practice in relation to automated number plate recognition (ANPR) systems.

This development comes out of a concern about a current lack of regulation around ANPR systems and privacy. According to The Register, "widespread use of ANPR means cameras across the country submit between 25 million and 35 million read records to the national ANPR data centre each day. There are more than 22 billion records in the database."

The Committee concluded their debate one day earlier than originally expected. The Bill as amended by the Committee will now be discussed during the Report stage, most likely after the Easter recess.

Other national developments

Cambridge Analytica data misuse scandal

This week saw a number of news stories about the misuse of Facebook users' data for psychological profiling purposes by a company called Cambridge Analytica (CA). Among other things, CA offered services to political candidates - claiming to be able to use their psycho-graphic approach to precisely target the specific interests of individual social media users with political advertisements that they are likely to respond well to.

On 16 March, Facebook publicly announced that it was suspending CA from the platform, over controversy that CA had received data from a third-party app developer in violation of the Platform Policy that Facebook publishes for app developers.

Former CA employee and whistleblower Christopher Wylie revealed how the firm used third-party apps to harvest data from 270,000 users and their friends, totaling around 50 million users.

After news of the above broke, it was also publicly confirmed that Facebook's Chief Information Security Officer Alex Stamos had quit the company back in December over disagreements around how Facebook was handling Russian influence on the platform. Though Stamos is still employed whilst finishing up his contract with the company, new reports suggest that department has been reduced from 120 staff to just three. Stamos famously quit Yahoo! back in 2015 over the company's compliance with a classified US Government directive that ordered them to build software that allowed them to scan all users' incoming emails in realtime.

The Information Commissioner's Office is aiming to acquire a warrant to investigate the activities of Cambridge Analytica, but this has been adjourned until at least Friday 23 March. Facebook confirmed in a press release that it had contracted the services of forensic auditing firm Stroz Friedberg, and auditors had been collecting data and records on-site at CA headquarters on 19 March, before the ICO were able to successfully gain a warrant to enter the building.

Markus Meechan (aka Count Dankula) guilty of posting "grossly offensive" video to YouTube

Previous policy updates have discussed the trial of YouTube performer Markus Meechan. On 20 March, Meechan was found guilty of an offence under Section 127 of the Communications Act 2003, which prohibits the sending of a message that is "grossly offensive or of an indecent, obscene or menacing character" using an electronic communications network.

Previously, the court had attempted to trial Meechan under the Scottish-only "threatening communications" offence. The Scottish offence carries a stronger penalty of up to 5 years imprisonment, but is much more narrowly applicable and harder to achieve a conviction under.

Meechan is due to be sentenced on 23 April, and faces a penalty of up to 6 months imprisonment, or an unlimited fine.

Questions in the UK Parliament

Question about bias in Police biometric scanning

David Lammy asked the Secretary of State for the Home Department, "what assessment her Department has made of the potential for bias against people on the basis of (a) gender and (b) ethnicity of the automated facial recognition software used by the (i) Metropolitan Police and (ii) South Wales Police".

Nick Hurd responded that "facial recognition software for which the Home Office has reviewed Privacy Impact Assessments compares images of members of the public captured by surveillance cameras with images of persons on a watch list". He also confirmed that potential matches found by the software were reviewed by a police officer before any action was taken, and that "people are not arrested solely on the basis of matches made by facial recognition software."

Question on NHS security following the WannaCry cyber attack

Keith Vaz asked the Secretary of State for Health and Social Care, "what steps his Department has taken to improve the security of the IT systems in the NHS since the cyber attack of May 2017".

Jackie Doyle-Price responded, noting that the department had taken a number of different steps to improve security since the attack, and that many of these steps were documented in the report "Securing Cyber-Resilience in Health and Care", published on 1 February.

International developments

US Congress passes law restricting intermediary liability protections for site operators

This week, the US Senate passed the Stop Enabling Sex Traffickers Act (SESTA) in a 97-2 vote. The Act had already been passed by the House of Representatives. As both Congressional Houses have now passed the Act, its final step is to receive approval from the President.

The Act, which is also sometimes referred to as the Allow States and Victims to Fight Online Sex Trafficking Act (FOSTA), amends Section 230 of the Communications Decency Act 1996. This section provides protections for site operators from being held directly responsible for the content that users post using their service. The Act states that "No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider". This allows sites hosting any kind of user-generated content to be protected from laws which they would otherwise be subject to.

According to the EFF's Elliot Harmon:

SESTA/FOSTA undermines Section 230, the most important law protecting free speech online. Section 230 protects online platforms from liability for some types of speech by their users. Without Section 230, the Internet would look very different. It’s likely that many of today’s online platforms would never have formed or received the investment they needed to grow and scale—the risk of litigation would have simply been too high. Similarly, in absence of Section 230 protections, noncommercial platforms like Wikipedia and the Internet Archive likely wouldn’t have been founded given the high level of legal risk involved with hosting third-party content.

You can read more about SESTA/FOSTA on the EFF's blog post, or Ars Technica. The EFF also have a general overview of Section 230 available on their site.

ORG media coverage

See ORG Press Coverage for full details.

2018-03-22-The Register-El Reg deep dive: Everything you need to know about UK.gov's pr0n block
Author: Rebecca Hill
Summary: Myles Jackman quoted in a story about the current status of online age verification plans for pornographic content.
Topics: Online age verification
2018-03-21-Sky News-Cambridge Analytica: Mark Zuckerberg 'to break silence' on Facebook data scandal
Author: David Mercer
Summary: Jim Killock quoted in a story about Facebook's response to the Cambridge Analytica scandal.
Topics: Data protection, Privacy
2018-03-21-The Telegraph-From Obama to Tinder: Cambridge Analytica wasn't the first and won't be the last to exploit our data
Author: Eleanor Steafel, Guy Kelly, and Helena Horton
Summary: Alex Haydock quoted in a story about Cambridge Analytica and third-party apps' use of Facebook data.
Topics: Data protection, Privacy
2018-03-21-The Telegraph-How to protect your data on Facebook
Author: Matthew Field
Summary: Alex Haydock quoted in a story giving practical advice to users about how to limit the sharing of their data on Facebook.
Topics: Data protection, Privacy
2018-03-20-The Ferret-Electronic voting could pose security risk in Scotland, claim campaigners
Author: Karin Goodwin
Summary: Matthew Rice quoted in a story about the potential risks of electronic voting.
Topics: Data protection
2018-03-20-The Independent-Facebook's latest data scandal is just the beginning – and not even the worst of it, warn privacy experts
Author: Andrew Griffin
Summary: Javier Ruiz quoted in a story about Cambridge Analytica and third-party apps' use of Facebook data.
Topics: Data protection, Privacy

ORG Contact Details

Staff page