This is ORG's Policy Update for the week beginning 27/03/2017.

If you are reading this online, you can also subscribe to the email version or unsubscribe.

ORG’s work

ORG and other civil liberties groups, lawyers and other parties wrote to the Home Office this week regarding the consultation on Codes of Practice for the Investigatory Powers Act. The consultation lacks explanatory detail to understand the set of documents as well as enough time to go through the huge volume of dense legal texts and could be in breach of the Cabinet Office guidelines.

Without proper scrutiny, the IPAct can be subject to future abuse. Sign our petition to prevent abuse from the sharing of data with the US.

We were busy writing another letter alongside other NGOs to tech companies and the Home Secretary who met this week to discuss censorship in private. Amber Rudd called on the companies to remove encryption and to improve their performance in removing extremist material but decided to keep the meeting confidential. In return, ORG and other non-governmental organisations and charities called on Amber Rudd to be more transparent and open about the meeting and any informal agreements struck with the companies.

Planned local group events:

Join ORG Cambridge on Tuesday 4 April for their monthly meetup to discuss the current state of digital rights, what they've done in the past month and what they are planning to do in the upcoming month.

ORG Brighton is hosting an evening of talks all about the proposed changes to the Espionage Act on Tuesday 4 April.

Join ORG Leeds on Wednesday 12 April to find out from Jim Killock what the new law means for journalists and whistleblowers and what you can do to stop the Law Commission's proposals.

Join a Local Group! Our groups around the country meet with like-minded people to take action on current campaigns and have a huge role in our work.

Official meetings

Jim Killock attended a meeting in Brussels (hosted by EDRi and Access Now) on Tuesday 28 March for executive directors from across the globe to discuss their organisations and the digital rights challenges of the years ahead.

Javier Ruiz has attended RightsCon in Brussels.

Parliamentary debates

DEBill

The last Report stage sitting of the Digital Economy Bill took place this week on 29 March after it was postponed last week.

The Third Reading in the House of Lords is set to take place on 5 April. The first set of tabled amendments for the Third Reading can be accessed here.

The newest version of the DEBill post-Report stage can be found here.

Letter by academics on copyright

A group of copyright academics, lawyers and campaigners (including ORG) sent a letter to the Minister for the Department for Business, Energy and Industrial Strategy (Universities and Science) Jo Johnson MPand the Intellectual Property Office regarding the provisions in the DEBill on online copyright infringement.

The letter suggests that the definition of offences for online copyright infringement should be narrowed down to avoid catching individual file-sharers as the Government did not intend to imprison small scale file sharers for ten years.

The current wording of the Bill, however, would threaten exactly these people with criminal charges. The signatories of the letter also raised concerns that due to the vague wording of the copyright offence, the Bill is likely to be in breach of both the European Convention on Human Rights and EU law. This is because offence does not meet the criteria of proportionality and foreseeability, in that minor infringements appear to criminalised, and it is unclear when an infringement would be regarded as sufficiently serious to attract a criminal sentence.

The different copyright experts suggested narrowing down the scope of the offence by defining it as causing “commercial scale loss” and a “serious risk of commercial scale loss” instead of just causing “loss” and “risk of loss”.

The Minister is yet to respond to the letter.

Age verification

Lords accepted a series of amendments last week on age verification for online pornography. These amendments reflected some of the criticism made by the Delegated Powers and Regulatory Reform Committee.

The Government introduced three statutory instruments to regulate the role of age-verification regulator. These will outline what materials should be censored, guidance provided by the AV regulator and guidance provided by the Secretary of State to the AV regulator. They also created a new role for a regulator to hand out financial penalties for non-compliance. The amendments also set up a new independent regulator to administer the appeals process.

If no other amendments are tabled and passed, it appears that the age-verification system will be without privacy safeguards and with an unclear division of responsibilities between several regulators and an administrator of the appeals processes.

The draft codes of practice include guidance on privacy approach for AV providers. The guidance states that

"The process of age verifying for adults should be concerned only with the need to establish that the user is aged 18 or above, rather than seeking to identify the user. The privacy of adult users of pornographic sites should be maintained and the potential for fraud or misuse of personal data should be safeguarded. The key focus of many age verification providers is on privacy and specifically providing verification, rather than identification of the individual."

The guidance also suggests to use "privacy by design" as recommended by the ICO.

The language in the draft code uses "should" throughout the text instead of more normative expressions. This means that the wording of the code makes it still possible for AV providers to design their systems with purposes additional to age checking.

The guidance also states that the AV regulator will not be required to approve AV systems before they are adopted by adult websites or require sites to offer a range of options. They will therefore find it hard to compel sites to allow users to choose the tool they trust. This stands in contrast to the UK governments’ own Verify system, which gives users a choice of trusted identity providers.

This approach is likely to create a monopoly of one well used AV system, probably under the control of Mind Geek, who already have a dominant market position. The ability of the dominant provider to pick an AV ‘winner’ is likely to create a temptation to also build in less privacy-friendly measures, whether on an ‘opt in’ basis or otherwise.

This blog post by Jim Killock explains what exactly needs to be changed in the age-verification provisions.

Data sharing

The Government also passed amendments responding to the report by the Delegated Powers and Regulatory Reform Committee on data sharing. These amendments significantly improved the Bill’s Part 5 on data sharing but they might not be enough to provide all the necessary safeguards.

The amendments will:

make codes of practice statutory,

narrow down the definitions of specified persons who can access the data,

make closer ties between functions and objections of authorities accessing the data,

stop the Government from making future changes to the Bill after it is passed without proper scrutiny.

The Government also promised to review the Codes of Practice for data sharing before the EU General Data Protection Regulation comes into force in May 2018 (the UK intends to implement the GDPR fully).

The Government, however, has not tabled any amendments that would extend reviews to all powers under Part 5, not just fraud and debt powers. The Bill also has not clearly stated that public service delivery and civil registration powers should be used only to the benefit of people whose data is shared, not for punitive purposes. Similarly, there has been no amendment restricting the bulk sharing of civil registration data.

Read our previous blog that outlines the outstanding issues in the Bill in more detail.

Cyber security experts give evidence on risks in the UK

The Joint Committee on National Security Strategy (JCNSS) heard from cyber security experts on risks faced in the UK, the relationship between the public and private sectors, and the issue of international cyber norms and governance on 27 March.

The witnesses included:

Dr Richard Horne, Cyber Security Partner, PricewaterhouseCoopers

Rowland Johnson, CEO, Nettitude

Dr Brandon Valeriano, Reader in the School of Law and Politics, Cardiff University

Ollie Whitehouse, Technical Director, NCC Group

A recording of the session can be watched here.

Other national developments

Amber Rudd calls to remove encryption

Following the attacks last week in Westminster, the Home Secretary Amber Rudd MP called for the police and intelligence agencies to be given access to encrypted messages to prevent future terror attacks.

Her statement was subject to a wide array of criticism. Rudd’s demands are disproportionate and unrealistic. Moreover, powers to make backdoors to encryption possible already exist under the Investigatory Powers Act.

The IPAct gives the minister powers to issue “technical capability notices” to companies to instruct them to re-engineer their products to enable surveillance by police and intelligence agencies. This means that the Home Secretary could instruct WhatsApp to allow them access to messages of targeted individuals.

Jim Killock explains the nuances of technical capability notices in a blog. You can read more about what powers Amber Rudd already has that would allow her access to someone’s messages here.

Encryption is used for other activities than just messaging (e.g. shopping, banking, etc.). Ed Johnson-Williams, ORG’s campaigner, explains five ways we all rely on encryption.

It is not clear how Rudd envisages backdoors to encryption would work without making millions of ordinary people less secure. Following her meeting with social media and tech companies, it would appear that encryption backdoors are not the Government's top priority since the meeting focused on censoring extremism.

Home Office meeting with social media and tech companies

Alongside the calls made by the Home Secretary Amber Rudd to remove encryption, she also called on social media platforms to tackle removal of extremist content on their websites.

Google, Twitter, Facebook and Microsoft were invited for a meeting on Thursday 30 March where Rudd urged them to be more proactive about tackling the spread of extremist materials.

ORG together with other Non-Governmental Organisations and charities wrote a letter to the Home Secretary and companies representatives urging them to be more transparent and open about the discussions they are having.

Regulating extremist content online is a form of state censorship and as such, even though often legitimate, public needs assurances that only illegal material will be sought out by government officials and taken down by tech companies. This can be achieved by transparency and judicial oversight.

Neither the Home Office nor the companies have responded to the letter.

IPAct Codes of Practice consultation

Civil liberty groups (including ORG), lawyers and other parties wrote to the Home Secretary Amber Rudd MP regarding the consultation on codes of practice for the Investigatory Powers Act. The letter raises concerns about the lack of explanatory detail to understand the set of documents as well as the time restraints and the volume of CoPs making it near impossible to provide a meaningful response to the consultation.

The six-week consultation on 413 pages of five different codes of practice was launched in February and is due to close on 6 April.

The consultation lacks detailed information on purposes of the Codes, justifications for approaches and changes made to the draft codes.

In these circumstances, the consultations appears to be in breach of the Cabinet Office guidelines (Principle C "Consultations should be informative. Give enough information to ensure that those consulted understand the issues and can give informed responses.").

ORG and other organisations called on the Home Office to:

1. Publish detailed information describing

The functional purposes of the Codes, the safeguards and duties contained

The justifications for the approaches within each code; and

The changes made to the draft codes since they were presented to Parliament

2. Extend the deadline for the consultation to a full three months, starting at the point that the information above is published

3. Arrange briefings for lawyers, civil society and others to take them through the key points.

The Home Office should respond to the letter within the next 20 days.

Europe

EU legislation on encryption backdoors

The EU Justice Commissioner Vera Jourova declared this week that the European Commission will push for backdoor access to encryption used by apps in June.

She said she will propose several options ranging from voluntary business agreements to strict legislation. This public declaration comes after Jourova was “pushed” by politicians across member states to legislate on the issue.

The voluntary arrangement is supposed to offer a quick solution to the “problem” and legislation will follow later. It might take several years to create and pass such legislation and the UK might not be in the EU anymore at that time. It is likely, however, that the UK would take the European legislative lead on this matter.

Privacy Shield

The European Parliament’s Civil Liberties Committee (LIBE) narrowly voted in support (29 to 25) of a resolution declaring Privacy Shield inadequate. LIBE issued a statement saying that Privacy Shield arrangement has serious deficiencies that need to be fixed.

MEPs sitting on the committee called for the European Commission to make sure that the Privacy Shield agreement for data transfers for commercial purposes provides sufficient personal data protection that complies with the Charter of Fundamental Human Rights and the new General Data Protection Regulation.

The committee namely criticised these points:

the lack of specific rules on automated decision-making or the general right to object, and the lack of clear principles on how the Privacy Shield Principles apply to data processors,

that “bulk surveillance” remain possible as regards national security and surveillance,

that neither the Privacy Shield Principles nor letters from the US administration demonstrate the existence of effective judicial redress rights for individuals in the EU whose personal data are transferred to the US, and

the Ombudsperson mechanism set up by the US Department of State is not sufficiently independent and is not vested with sufficient effective powers to carry out its duties.

The LIBE’s resolution is expected to be voted on by the European Parliament in the first week of April.

International developments

No ISP privacy rules in the US

The US House of Representatives voted down ISP privacy rules this week after the Senate voted against the issue last week.

The legislation is now to be signed or vetoed by President Donald Trump.The White House already issued a statement saying that president’s advisors will recommend that he signs the legislation.

The ISP privacy rules were issued last year by the Federal Communications Commission (FCC) required broadband providers to get consumers' opt-in consent before selling or sharing Web browsing history, app usage history, and other private information with advertisers and other companies. The Senate and the House of Representatives now passed a resolution that ensured the rules have no force or effect and the FCC cannot issue similar regulation in the future.

If Trump signs the resolution, ISPs will not be obliged to seek customers’ approval to share their browsing histories (and other personal information) with advertisers. The FCC rules required expressed informed consent equal to an opt-in approval from the customer for the use of information such as: precise geo-location, health, financial, and children’s information; Social Security numbers; content; and web browsing and application usage histories and their functional equivalents.

According to the rules, ISPs had to, at a minimum, provide their customers the ability to opt out of the carrier’s use or sharing of non-sensitive customer information.

From now on, ISPs will be able to formulate the consent for customer data sharing in a way they like. This could be easily phrased in a deceiving manner where it will not be clear to the customers they are about to share their sensitive personal data just by signing a contract since the requirement for opt-in has been scrapped.

Bruce Schneier explains what ISPs could do with customers' data here.

Trump signing off on the resolution will only add to the list of the Privacy Shield deficiencies. The EU level of protection of personal data is supposed to be maintained even when the data is EU citizens is in the US.

One of the European Parliament’s Committees (see Privacy Shield in this policy update) already declared Privacy Shield inadequate this week. The EU Justice Commissioner Vera Jourova was in Washington hoping to address some of these issues at her meetings with the US attorney general, the US secretary of commerce, and the US federal trade commissioner.

Questions in UK Parliament

Question on digital technology

Andrew Gwynne MP asked the MInister for Cabinet Office, what assessments have been made of potential security risks from component, platform and capability reuse beyond central government, and what steps the Government is taking to mitigate any risks.

Chris Skidmore MP responded that the security risk assessment depends on the type of information or service being shared.

Risk assessment uses a framework of best practice technology standards and certifications and expert assessments. Additionally, the Government Digital Service provides assurance through operational support, privacy assessments, security monitoring and information security management.

Question on crime and social media

Stephen Doughty MP asked the Secretary of State for the Home Department, how many Facebook, Twitter, Google+, Snapchat, YouTube and WhatsApp accounts have been closed or suspended on request of the Government due to involvement in terrorism, hate crime, targeted harassment in each of the last 24 months.

Sarah Newton MP responded that Counter Terrorism Internet Referral Unit (CTIRU) refers content that they assess as contravening UK terrorism legislation to industry. Removal is carried out voluntarily by companies if industry agrees that it breaches their terms and conditions. In 2016, CTIRU secured removal of 120,000 pieces of terrorist material. The Home Office could provide the exact answer to the question only at disproportionate cost.

Question on technological protection measures

Louise Haigh asked the Secretary of State for Business, Energy and Industrial Strategy, whether the Department plans to review restrictions on on digital locks (technological protection measures) under the EU Copyright Directive as a result of Brexit.

Jo Johnson MP responded that the Government has no plans to review restrictions on technological protection measures, since these restrictions in EU legislation are derived from the WIPO Copyright Treaty and the WIPO Performances and Phonograms Treaty. The UK will remain to have obligation to these treaties after the UK leaves the EU.

Question on surveillance expenditure

Kevan Jones MP asked the Secretary of State for Defence, what the Department’s spend was for submarines, combat air, air support, ships, helicopters, land equipment, weapons and intelligence, surveillance, target acquisition and reconnaissance in each of the last six years.

Harriett Baldwin MP provided the answer here.

Question on children and data protection

Lord Harris of Haringey asked the Government, what assessment they have made of concerns for child security and privacy presented by the marketing of My Friend Cayla dolls in the UK.

Lord Ashton responded that manufacturers of Internet-connected products should process personal data in accordance with the Data Protection Act and they should ensure that their devices have appropriate security measures built in and are secure by design.

Question on the ‘independent communications data authorising body’

Alistair Carmichael MP asked the Secreatry of State for the Home Department:

what plans she has to give the independent communications data authorising body statutory underpinning;

what budget has been set aside to establish and maintain the independent communications data authorising body referred to in the IP Act Implementation, Programme Layer advert published on gov.uk on 17 March 2017;

whether staff for the independent communications data authorising body will be drawn from among existing officers working on data requests;

what plans she has to report to Parliament on the functioning of the independent communications data authorising body;

whether the budget for the independent communications data authorising body will be drawn from existing police budgets.

Ben Wallace MP responded that the Government is still considering the impact of the judgment from the European Court of Justice of 21 December 2016 on data retention.

Question on GDPR

Callum Kerr asked the Secretary of State for Culture, Media and Sport, what assessment the Government has made of the cost to UK telecoms providers of any divergence between EU and UK data protection laws after Brexit.

Matthew Hancock MP responded that the Government is assessing the full impact of the GDPR on areas of data processing.

Question on breaches of health databases

Louise Haigh asked the Secretary of State for Health, what discussions the Department has had with the Information Commissioner on the breach of the IT system SystmOne and what estimate he has made of the number of medical records at risk of being unlawfully accessed through the SystmOne IT system managed by the company TPP.

Nicola Blackwood MP responded that the ICO stated that there is no evidence of lost, misused or mislaid records. A number of measures are already being implemented and a full plan is expected to be in place by summer 2017 to respond to the concerns raised.

ORG media coverage

See ORG Press Coverage for full details.

Staff page