This is ORG's Policy Update for the week beginning 15/05/2017.

If you are reading this online, you can also subscribe to the email version or unsubscribe.

ORG’s work

ORG launched a call for responses to the secret consultation on technical capability notices, which closes on 19 May. This relates to provisions in the Investigatory Powers Act, which all the Government to force companies to modify the security of their products. The consultation was leaked by ORG as the Home Office had meant for it to be sent only to certain companies.

ORG have been running a petition to prevent President Trump from using the data collected by the UK intelligence agencies to strip away basic liberties. Don’t let Trump get his hands on our data, sign our petition now!

Planned events:

ORG is running or promoting hustings where our supporters can ask MP candidates about human rights and digital rights under Brexit, surveillance, privacy and censorship. The dates are as follows:

Official meetings

Javier Ruiz and Jim Killock attended a meeting with Lord Holmes about the provisions for data sharing in the Digital Economy Act 2017.

Jim Killock and Javier Ruiz attended a meet-and-greet event with the Information Commissioner’s Office and civil society representatives.

Javier Ruiz attended a workshop, hosted by the LSE Media Policy Project and Assistant Professors Orla Lynskey and Jean-Christophe Plantin, on ‘Consolidation of Platform Power’.

Javier Ruiz attended a workshop, hosted by the LSE Media Policy Project and co-chaired by Damian Tambini and Monica Horten, on ‘Internet Intermediaries in a Time of Political Uncertainty’.

Digital rights and General Election 2017

The three major parties published their manifestos this week. Here is a brief breakdown of issues relating to digital rights in each one of them. More topics can be found on our General Election 2017 Party Manifestos wiki page.

Labour Party manifesto

Manifesto can be found here.

Labour do not focus heavily on the digital economy and digital rights are not very prominent with their manifesto. Although they say, they would 're-introduce' judicial authorisation for investigatory powers, there are no proposals to roll back these powers. If elected, they would retain the Human Rights Act.

Data protection & privacy

"Labour is committed to growing the digital economy and ensuring that trade agreements do not impede cross-border data flows, whilst maintaining strong data protection rules to protect personal privacy.”

NHS whistleblowers

"Labour will support NHS whistleblowers to make sure health service staff are able to speak up in support of the best possible standards for patients."

Sex and relationship education

"We will make age-appropriate sex and relationship education a compulsory part of the curriculum so young people can learn about respectful relationships."

Security and counter-terrorism

”When – as they sometimes will – these aims collide, the exercise of investigatory powers must always be both proportionate and necessary. We will reintroduce effective judicial oversight over how and when they are used, when the circumstances demand that our collective security outweighs an individual freedom. Labour will review the Prevent programme with a view to assessing both its effectiveness and its potential to alienate minority communities. In doing so, we will address the government’s failure to take any effective new measures against a growing problem of extreme or violent radicalisation."

Copyright

"There's a "value gap" between people who make creative content, the manifesto says, and the digital services that profit from it. "We will work with all sides to review the way that innovators and artists are rewarded for their work in the digital age."

Defence

"Cyber security will form an integral part of our defence and security strategy and we will introduce a cyber-security charter for companies working with the Ministry of Defence. As the security threats and challenges we face are not bound by geographic borders, it is vital that as Britain leaves the EU, we maintain our close relationship with our European partners. Alongside our commitment to NATO, we will continue to work with the EU on a range of operational missions to promote and support global and regional security."

Liberal Democrat Manifesto

The Liberal Democrat Manifesto can be found here.

The Lib Dems have pledged to vote against any attempts to scrap the Human Rights Act or to withdraw from the European Convention on Human Rights. Moreover, they want to

”introduce a digital bill of rights that protects people’s powers over their own information, supports individuals over large corporations, and preserves the neutrality of the internet.”

Investigatory powers

The Lib Dems will

”roll back state surveillance powers by ending the indiscriminate bulk collection of communications data, bulk hacking, and the collection of internet connection records.”

Encryption

They will

”oppose Conservative attempts to undermine encryption.”

Surveillance victims

They pledged to

”notify innocent people who have been placed under targeted surveillance where this can be done without jeopardising ongoing investigations.”

Cybersecurity

”They recognise the expansion of warfare into the cybersphere, and will invest in the UK security and intelligence services and will act to counter cyberattacks.”

Internet

The Lib Dems will

”support free media and a free and open internet around the world, championing the free ow of information.”

Copyright

The Lib Dems will support

”growth in the creative industries, including video gaming, by continuing to support the Creative Industries Council and tailored industry-speci c tax support, promoting creative skills, supporting modern and exible patent, copyright and licensing rules, and addressing the barriers to nance faced by small creative businesses.”

Sexual and relationship education

They will introduce a curriculum entitlement – a slimmed down core national curriculum, which will be taught in all state-funded schools. This will include Personal, Social and Health Education: a ‘curriculum for life’ including financial literacy, first aid and emergency lifesaving skills, mental health education, citizenship and age-appropriate Sex and Relationship Education (SRE).

Also they will

”include in SRE teaching about sexual consent, LGBT+ relationships, and issues surrounding explicit images and content.

NHS whistleblowers

The Lib Dems have pledged to protect NHS whistle-blowers.

Conservatives

Manifesto can be found here.

The Tory Manifesto contains a whole chapter dedicated to their Digital Charter. They have pledged not to bring the EU Charter of Fundamental Rights into UK law, and hint at a future review of the whole human rights framework, including the European Convention, in five years time.

”We will not repeal or replace the Human Rights Act while the process of Brexit is underway but we will consider our human rights legal framework when the process of leaving the EU concludes. We will remain signatories to the European Convention on Human Rights for the duration of the next parliament.

Intellectual property

”We will ensure there is a robust system for protection of intellectual property when the UK has le the EU, with strong protections against infringement.”

Online safety

”In harnessing the digital revolution, we must take steps to protect the vulnerable and give people confidence to use the internet without fear of abuse, criminality or exposure to horri c content. Our starting point is that online rules should re ect those that govern our lives o ine. It should be as unacceptable to bully online as it is in the playground, as di cult to groom a young child on the internet as it is in a community, as hard for children to access violent and degrading pornography online as it is in the high street, and as difficult to commit a crime digitally as it is physically.”

Responsibility for online content

”Where technology can find a solution, we will pursue it. We will work with industry to introduce new protections for minors, from images of pornography, violence, and other age-inappropriate content...We will put a responsibility on industry not to direct users – even unintentionally – to hate speech, pornography, or other sources of harm. We will make clear the responsibility of platforms to enable the reporting of inappropriate, bullying, harmful or illegal content, with take-down on a comply-or-explain basis.”

Encryption

”In addition, we do not believe that there should be a safe space for terrorists to be able to communicate online and will work to prevent them from having this capability.”

Relationship and sex education

”We will educate today’s young people in the harms of the internet and how best to combat them, introducing comprehensive Relationships and Sex Education in all primary and secondary schools to ensure that children learn about the risks of the internet, including cyberbullying and online grooming.”

Data protection

”We will give people new rights to ensure they are in control of their own data, including the ability to require major social media platforms to delete information held about them at the age of 18, the ability to access and export personal data, and an expectation that personal data held should be stored in a secure way.”

Cyber security

”We will continue with our £1.9 billion investment in cyber security and build on the successful establishment of the National Cyber Security Centre through our world- leading cyber security strategy. We will make sure that our public services, businesses, charities and individual users are protected from cyber risks.”

Internet and digital economy regulation

”While we cannot create this framework alone, it is for government, not private companies, to protect the security of people and ensure the fairness of the rules by which people and businesses abide. … So we will establish a regulatory framework in law to underpin our digital charter and to ensure that digital companies, social media platforms and content providers abide by these principles. We will introduce a sanctions regime to ensure compliance, giving regulators the ability to fine or prosecute those companies that fail in their legal duties, and to order the removal of content where it clearly breaches UK law. We will also create a power in law for government to introduce an industry-wide levy from social media companies and communication service providers to support awareness and preventative activity to counter internet harms, just as is already the case with the gambling industry.”

National developments

NHS ransom revealed GCHQ putting citizens at risk

Last week, the Wanna Decryptor ransomware worm infected at least 200,000 computers in 150 countries. The attack heavily affected NHS Trusts who were unable to access patients’ information across the UK, causing operations to be canceled and appointments to be re-scheduled.

The WannaCrypt exploits that affected Windows XP (statement by Microsoft) were drawn from the exploits stolen from the US National Security Agency. Their tool Eternalblue was leaked online in April. This vulnerability was exploited by the NSA to hijack and spy on their targets.

As revealed in the Snowden documents, vulnerabilities are shared between NSA and GCHQ, and their use raises a number of concerns.

As Jim Killock discusses in his blog, GCHQ is responsible for offensive operations that may involve hacking and breaking into networks. However, a branch of GCHQ, the National Cyber Security Centre, was set up to protect organisations from cyber threats.

GCHQ knew about the vulnerability but failed to fix it and so effectively failed to exercise their defensive function. The current situation highlights that there is a conflict of interest between its functions.

This should be resolved by moving the UK defensive role out of GCHQ’s hands. Such an arrangement would make the inaction of the NCSC and others inexcusable after the exploit was known to be “lost” this April.

Due to the GCHQ, NCSC and NHS failing to take measures to ensure an appropriate level of security of patients’ information, the hack initiated a breach of the Data Protection Act. You can find out more about the issues related to the hack and Data Protection Act in this blog.

DeepMind obtained data on an inappropriate legal basis

A leaked letter has revealed that Google’s DeepMind received personally identifying medical records of 1.6 million patients on an "inappropriate legal basis".

The letter from the National Data Guardian, Dame Fiona Caldicott to Professor Stephen Powis, the medical director of the Royal Free Hospital in London, shows that the National Data Guardian found the legal basis for the transfer of information from Royal Free to DeepMind to be inappropriate.

The data was shared on the basis of providing “direct care”. However, according to Dame Fiona Caldicott, this is not valid. The confidentiality of patient’s records is strictly protected by law but the law does allow patients’ information to be shared in order to provide direct care.

DeepMind have been using the Royal Free patients’ data to create a smartphone app, Streams, which detects and informs clinicians if patients are suffering from acute kidney injuries. According to Dame Caldicott, despite the obvious merit of the app, the development did not provide direct care to patients.

She states that her opinion

”remains that it would not have been within the reasonable expectation of patients that their records would have been shared for this purpose," she wrote.

The Information Commissioner’s Office is investigating the data transfer between the Royal Free Hospital and DeepMind. They said their investigation will conclude soon and they will take into account Dame Fiona’s comments.

Music industry calls for responsibility for piracy to be on ISPs

The UK Music coalition published their 2017 manifesto outlining their interest in intellectual property after Brexit.

The UK Music coalition represents the interests of artists, composers, the British Phonographic Industry, PRS for Music and others. Their manifesto is calling for more vigilance during the Brexit process so the music industry would benefit from it.

The Great Repeal Bill will give MPs an opportunity to change the EU laws when being converted to UK law. Most of the UK legislation on copyright derives from the EU law. For this reason, the UK Music is calling for minimal changes to the law.

“Withdrawal from the EU does not require substantial changes to the UK copyright framework. This continuity is critical to ensuring confidence amongst music businesses.”

”There is no evidence of the need for new exceptions to copyright. If this is not accepted by the Government then it would only serve to take away rights and undermine the potential for growth.”

The changes to copyright law they would like to see relate to stronger protections against piracy. They claim that

“initiatives should be developed to place responsibility on internet service providers and require them to have a duty of care for copyright protected music.”

Their suggestion would widen the level of support they get from ISPs. UK ISPs are currently cooperating with the industry to send piracy notices to their subscribers telling them how to obtain copyrighted material legally under the ‘Get It Right From A Genuine Site’ campaign.

International developments

Facebook fined by a French watchdog

The French Data Protection Authority CNIL fined Facebook €150,000 for breaching the Data Protection Act.

CNIL found that they created

Facebook also used a cookie to collect the browsing activity of Internet users but failed to inform them about the collection of data from third-party websites.

The fine follows a formal notice from CNIL, issued in January 2016, ordering the company to comply with France’s Data Protection Act within three months. The watchdog claims that they have received unsatisfactory responses to their concerns. They found that Facebook still has these issues:

They do not provide direct information to Internet users concerning their rights and the use that will be made of their data, in particular on the registration form.

They collect users’ sensitive data without obtaining their explicit consent.

By using the web browser settings, they do not allow users to validly oppose cookies placed on their terminal equipment.

They do not demonstrate the need to retain users’ IP addresses.

Following the French investigation, Facebook is now investigated also by data protection authorities of Belgium, the Netherlands, Germany and Spain. In Belgium, the Privacy Commission renewed their recommendations over Facebook’s tracking of users and non-users through cookies, social plug-ins and pixels. A hearing is arranged for October 2017. The Dutch data protection authority also found that Facebook failed to provide sufficient information to their users about how their data is used. They are currently assessing whether the violations have stopped and if they will issue a fine. Germany is looking into Facebook’s use of WhatsApp user data and the Spanish data protection authority has opened two infringement procedures against Facebook.

ORG media coverage

See ORG Press Coverage for full details.

Staff page