July 08, 2016 | Javier Ruiz

Overview of the Digital Economy Bill 2016

Our first impressions on the Digital Economy Bill 2016. We will be looking each section in more detail over the coming weeks.

Digital Economy Bill 2016

The Digital Economy Bill 2016 was announced in the Queen’s Speech 2016, and has its first reading in the House of Commons this week. It will deliver several policy initiatives that ORG has engaged with over the past two years. Over the coming weeks, we will provide further analysis and campaign around the many issues raised by this far reaching Bill.

The Digital Economy BIll looks like the drawer where all the "fix the internet" ideas that the current government has been considering over the past few years have ended up. Digital rights activists will be busy for some time.

• Part 1: Access to Digital Services

This part of the bill seems the least controversial and likely welcome. The government is introducing a new broadband Universal Service Obligation (USO) of 10Mps and enhancing Ofcom’s powers to demand more transparency and compliance. We will be looking at this part of the Bill to see if there are any potential pitfalls, or improvements that can be presented as amendments.

• Part 2: Digital Infrastructure

This part includes a highly technical series of measures dealing with a range of infrastructural issues, from land acquisitions to spectrum management. There seem to be few digital rights issues.

• Part 3: Online Pornography

This is a very problematic section. After several years of discussions, the government is finally making it compulsory for all porn websites available in the UK to implement age verification. The Bill covers all commercial websites designed for sexual arousal, including materials classified as 18 and not only R18 (the hardcore that must be sold only in sex shops), located anywhere in the world. On demand services are excluded, and there are issues with the definition of commercial, but the intent is to capture as many websites as possible.

A new regulator will be created to deal with this challenging idea. There are very serious privacy and security issues here -  the potential data breach of British citizens' porn preferences and credit card details, is a blackmailer's paradise. The mechanisms for age verification are not defined and making this work in a privacy respecting manner will be very difficult, if even possible. Simple mechanisms such as providing a card or inputting a date of birth will not cut it. The Digital Policy Alliance (DPA) has been working behind the scenes with the porn industry and other sectors to try to define an industry led standard for age verification. We have heard some vague ideas about using smart crypto and decentralised trust frameworks similar to the government initiative Verify, but there are no details available.

The main enforcement mechanism appears to be based on the wider “follow the money” approach we see in copyright debates. The regulator will work with payment providers to remove sources of income. It is very unclear how this is going to stop advertising funded websites as porn specialist ad networks may not be easy to get on board. The Bill also includes injunctions, but we need to analyse properly to what extent blocking will be used.

Original proposals to use the existing web blocking infrastructure for the mandatory blocking of all porn websites unless they complied – a whitelisting of age verified sites – seem to have been abandoned. But it is unclear if an aggressive regulator could use the powers in the Bill to block sites. We have concerns that making payment providers a core element of enforcement is part of the slippery slope away from due process and clear state responsibilities in Internet regulation.

• Part 4: Intellectual Property

The penalties for “online infringement” (communication to the public) are being increased from a maximum of two to  maximum ten year prison sentence. We ran a campaign during the consultation and it seemed that we had won the argument, but political pressure eventually bypassed the consultation process and other evidence.

Partly in an attempt to deal with headlines that this was “10 years for filesharing", the IPO has rewritten the definition of criminal liability. They told us during meetings that the new definition would make it very clear that ordinary internet users - including filesharers - would not be targeted, and raising the penalty would also mean narrowing its application to real criminals. Unfortunately the final draft appears to be as bad or worse than the original, with a very low threshold of “having a reason to believe” that the right holder will be exposed to “a risk of loss”.

• Part 5: Digital Government

This part of the BIll is the conclusion of the long process of open policy making on data sharing, where ORG has been involved throughout. There are no big surprises there, and we have summarised the issues and concerns in various blogs and consultation responses.

Some of the proposals are not too problematic, such as sharing data to help to deliver winter fuel discounts, but when put together they amount to a massive shift in data processing across government. The safeguards proposed are not always strong enough and are mostly placed in codes of practice of dubious enforceability. Some of the proposals are more worrying. We have raised concerns particularly about the bulk sharing of civil registration data - births and marriages - without any apparent purpose limitation and with thin safeguards.

The proposals to share the data of people in debt across government departments are also worrying as they could affect vulnerable people and may not deliver benefits without changes to how data is handled. Even if governemnt departments know that someone also owes money elsewhere, they cannot cancel or reprioritise the debt. Despite repeated assurances to the contrary, it is hard not to see this new power as connected with the new privatisation of debt collection across government with the Debt Market Integrator. It appears that the bill is creating the data sharing powers to enable policies that have not been properly outlined or discussed.

ORG will be seeking improvements in some areas: tightening purposes, strengthening safeguards and moving these from codes of practice to the face of the bill, and making any reviews proper sunset clauses requiring a Parliamentary reboot, rather than a ministerial nod.

We will also ask for the removal of the disproportionate powers for bulk sharing of civil registration, or at least severe restrictions on their scope.

• Part 6: Ofcom and Other Regulation

An omnibus within the omnibus Bill, this part contains a ragbag of measures around OFCOM, e.g. appeals process; but also apparently the power for the BBC and public service broadcasters to charge Sky and Virgin for retransmission. This is another area where we need further work picking up any issues.

There are also new powers for the ICO to deal with direct marketing and nuisance calls, which seem much needed, but may need improvements.

We will be campaigning on various aspects of the Bill. Get in touch or join ORG if you’d like to get involved.

Bill supporting documents Bill in parliament

[Read more] (2 comments)

June 29, 2016 | Jim Killock

How digital rights will be affected by Brexit

The UK’s vote to leave the EU means that we no longer have a clear idea what levels and kinds of protection of digital rights we will have in the future. Nearly all the relevant law is European. A lot depends on the kind of model of leaving the EU that the UK adopts.

eu_flags_cc-by-sa-jimkillockThe short term

Nothing changes in the short term. The UK must abide by legislation, incorporate new regulations and directives as they come along. Decisions of the Court of Justice of the European Union (CJEU) must be implemented. This could produce the potential for conflict between the UK and European Union, as the EU decisions will be seen to be less politically legitimate. However, it would be unwise for the UK to pick fights and fail to abide by EU law, as this would risk a swift ejection, and certainly weaken our negotiating position. Yesterday we also discussed the implications for the Investigatory Powers Bill debate.

Legislation that we currently depend on

Data Protection laws, e-privacy, net neutrality and other telecoms regulations, copyright enforcement and copyright laws are all currently written in the EU. Data retention and Passenger Name record retention are also decided upon at EU level.

Some of this legislation is very positive. The new data protection regime will for instance provide much better enforcement of some basic privacy rights.

EU legislation also has to abide by fundamental rights, defined in the Charter of Fundamental Rights and interpreted and enforced through the Court of Justice of the European Union (CJEU). Outside of the EU, the direct influence of the CJEU on UK law will be much lessened.

Enforcement of human rights

Recently, the CJEU has made many major digital rights advances, such as limitations on data retention and requiring better privacy protections from the USA for data transfers, and thereby cancelling “Safe Harbour”. This has not always been popular with the UK government.

In the longer term the CJEU and European Court of Human Rights (ECHR) should work to the same privacy standards, so in theory the UK’s legislation will still be subject to the same considerations. However, the ECHR does not make instructions to UK legislators, but sets principles which must be taken into account when looking at laws. This leaves a lot of flexibility in the hands of legislators. In contrast, the CJEU as an EU court makes direct instructions to EU institutions about laws and decisions, which has been demonstrably effective.

The Single Market

It is possible that these laws continue to be important, depending on the level of future integration with the Single Market. If so, things will be difficult for UK digital rights advocates, and digital industries, in that we will have less opportunity to shape legislation, for instance by working with MEPs. Single Market access is commonly known as the “Norwegian model” or European Economic Area (EEA) membership.

However, many digital businesses will prefer having the legal frameworks to standing fully outside of the Single Market.

If we are in the EEA, then the CJEU is no longer involved in UK decision making regarding EU law. The EEA has its own court for these purposes. It does not consider human rights in its decisions however.

Single Market access is both economically rational and politically very difficult, especially given the debate about immigration, as free movement of labour is likely to be a requirement. There would still be payments to the EU. The major change would be control of fish and agriculture policy.

Many Conservative politicians seem to be edging towards this kind of position as a workable compromise, albeit they contend they can secure limits on free movement. EEA membership would satisfy the narrow of the referendum, .

Full Brexit

It is also possible that a ‘full Brexit’ leaving us outside of the Single Market would place all these laws into flux. At this point, the laws might be simply incorporated into UK law, or else, they would be reviewed and potentially scrapped.

For UK digital rights, this would be the most concerning. The pressure to deregulate in order to compensate for the loss of single market access would be very high. The changes could be made very swiftly, with little democratic oversight.

We would need to be confident that the UK develops much stronger constitutional protections for human rights to be fully supportive of a solution along these lines. We would need to be convinced that Parliament would be in control of the changes and would be given sufficient time to consider the changes it would be making.

There is a democratic case for a full Brexit, rather than staying within the Single Market while the EU sets laws with just consultation processes to understand the position of the UK government.

That said, the influence of EU legislation would not simply disappear. Passenger Name Record legislation may have to exist for flights to continue between the UK and EU, and data protection standards have to exist if UK companies trade with EU citizens. Even the USA has to provide these protections for Europeans. We could easily end up copying the bulk of legislation even outside of the Single Market, but of course, with even less influence over its development, and less of the economic benefits.

The digital environment is already international. There are good reasons for laws to become more consistent, rather than less. Whatever solution is adopted, this pressure will exist.

What do we do?

The Open Rights Group will engage in a discussion with supporters and experts about our preferred way forward, and how we deal with some short term issues, such as enforcement of net neutrality provisions. Decisions about the UK’s future will be based on much wider considerations, but we will explain the impacts of different models on digital rights. If you have thoughts about any of these issues, please let us know in the comments, or get in touch by email.

[Read more]

June 28, 2016 | Pam Cowburn

What does Brexit mean for the IP Bill?

The outcome of the referendum could affect the progress of the IP Bill.

One of the consistent criticisms by ORG and other civil society organisations has been that there has been insufficient scrutiny of such an important and far-reaching Bill. While parliamentarians, media and the public are preoccupied with the outcome of last week’s EU referendum, it's unlikely that such scrutiny will take place now. That’s why ORG has called for the progress of this Bill to be put on hold until we have a new Prime Minister and a clearer sense of what the UK’s political future looks like. The Government will no doubt do everything it can to keep the IP Bill on track but the political fallout of Brexit and ongoing legal cases could affect the BIll’s progress.

Watson/Davis ruling

The Court of Justice of the European Union is likely to issue its Judgment about the Data Retention and Investigatory Powers Act (DRIPA) case brought by MPs Tom Watson and David Davis. In 2015, the High Court ruled that parts of DRIPA were unlawful; the Government appealed and the case was referred to the CJEU. Their Judgment will have implications for the data retention powers outlined in the IP Bill.

In the short term, as negotiations proceed to leave, there may be a temptation to ignore CJEU rulings. However, this would be highly unwise, as it would leave the UK open to swift ejection from the EU on grounds of failing to abide by our treaty obligations. This would weaken the UK’s negotiating hand as well as angering our negotiation partners.

The European Court of Human Rights is different from the CJEU. It rules on the European Convention of Human Rights, which the UK is currently signed up to whether or not it leaves the EU – although the Home Secretary and possible Conservative Party leader Theresa May has called for the UK to withdraw from the convention.

In theory, the ECHR and Charter of Fundamental Rights set the same standards on privacy and other human rights. So in the long term, the same principles set from the CJEU judgments should eventually be set by the ECtHR in other new cases. However, this means new legal challenges that ask this court to explain the principles. And unlike the CJEU, the powers to instruct legislators to alter or delete legislation or remove decisions are absent. Instead, the ECHR gives general advice on the principles to be adhered to.

So theoretically, Brexit would have no effect on standards of privacy. In practice, if we are outside of EU law, protections related to many Internet matters will be weaker, in that they will take a lot longer to fix, and the government has much greater flexibility in addressing them.

Data protection

Under European data protection law, when companies are transferring EU citizens’ data to non- EU countries, there must be an adequate level of protection for this data. On Friday, the Information Commissioner’s Office issued a statement that said:

“If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove 'adequacy' - in other words UK data protection standards would have to be equivalent to the EU's General Data Protection Regulation framework starting in 2018.

“Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary”.

This could mean that the IP Bill, as well as data protection law, will need to be reformed. As the Safe Harbour case brought by Max Schrems showed, the surveillance powers given to GCHQ, the police and government departments in the IP Bill could mean that UK companies cannot guarantee that they will meet the EU’s data protection standards. The consequences for UK business could be severe. Last week, Forbes reported that:

“More than three-quarters of the UK’s economy is based on services, and much of that involves the transfer of data. Digital industries represent 10 per cent of Britain’s GDP. And while the UK has historically been seen by many multinationals as a gateway to Europe, that’s a gateway that could now be slammed shut.”

General election

The new Prime Minister could call for a general election in late autumn to secure their political mandate and give the electorate the opportunity to vote on any offers negotiated about the EU. This could mean that the IP Bill is rushed through as part of the ‘wash up’ (the last few days before Parliament is dissolved). To do this with such a complex and large Bill would be unacceptable. Alternatively, the IP Bill could be put on hold until a new Government is formed. This would mean that the Data Retention and Investigatory Powers Act (DRIPA) sunset clause would expire in December 2016 but MPs could vote to extend this date before Parliament is dissolved.

Labour Shadow Cabinet resignations

Many members of Labour’s shadow Cabinet have resigned their posts since the referendum result and called for a change of Labour leader. Keir Starmer, who until now has been leading for Labour on the IP Bill, is among those who have resigned. ORG and others in the Don’t Spy on Us coalition have spent significant amounts of time talking to Keir Starmer to ensure that Labour were fully aware of our arguments. It is not clear who will now lead for Labour on the IP Bill but we will work to ensure that  Labour continue to be fully briefed on why the Bill is not fit for purpose.

ORG will keep campaigning for the IP Bill to be amended - please support us by joining today. 

[Read more]

June 15, 2016 | Ed Johnson-Williams

Tesco Mobile customers should think twice before viewing ads for a £3 a month discount

Tesco Mobile has announced a new optional scheme in which its customers can get £3 a month off their phone bill. In return, customers agree to see adverts on their lockscreen "every few times" they unlock their phone.

Customers have to see "at least one ad, offer or piece of content" on at least 21 days each month to get the discount.

What are people going to be giving up for that £3 a month?
The implication is that customers get the £3 discount for giving up some of their time and attention to see and open or dismiss the adverts. In reality, they are also paying with their data. Tesco Mobile are working with a company called Unlockd to deliver the ads to people's phones. Tesco Mobile customers have to agree to Unlockd's privacy policy to get their £3 a month discount.

In addition to collecting customers' mobile number, email address, age, gender and interests at the signup stage, Unlockd's privacy policy says they will:

  • collect customers' location data to serve tailored adverts
  • create 'anonymous' data records of customers' personal data and use them "for any purpose"
  • transfer customers' personal data to the USA, the UAE, and India and process it there.

The links to Unlockd's privacy policy are difficult to find. Tesco Mobile's webpage (which is all most customers are likely to see) doesn't mention any of these personal data collection issues.

This is an optional scheme and companies should be able to make contracts with their customers. But the bare minimum standard should be that customers are asked for their genuinely informed consent when giving up privacy. This kind of data collection and processing needs to be flagged up much more clearly to customers to meet this standard.

Location data
Somebody's location data can be very sensitive. It can reveal all kinds of patterns about their life. It's reasonable to think that lots of people would like to avoid constantly sharing their location with a company that will put adverts on their phone lockscreen every day.

Unlockd's privacy policy tells customers to turn off location on their phone if they want to "deactivate this feature". That's the 'feature' of having your location collected to show you ads by the way. But for many people, location-based services like maps are one of the most useful things about having a smartphone. Asking people to give up maps so that they can opt out of their location being collected for advertising purposes isn't fair or reasonable.

'Anonymised' data records
Significant amounts of research have been done illustrating ways in which identifying individuals from anonymised data is both possible and practical. Unlockd saying they can "use and disclose anonymous data for any purpose" [our emphasis] is worrying to say the least.

Personal data transferred and processed abroad
Unlockd's privacy policy says they may transfer and process personal data to countries "including, but not limited to the United States, the United Arab Emirates and India, where data protection and privacy regulations may not offer the same level of protection as in other parts of the world."

It is also worrying that people's data would be transferred to and processed in places where personal data and privacy are not as highly protected as they are in Europe. It is not made clear what the reasons are for data being transferred to and processed in these countries instead of in Europe.

Poverty and privacy
"You can save money by looking at adverts and giving up your personal data" is a message with big implications. Some people may have the means and freedom to choose to give up some privacy and attention for a discount. But for others, seeing adverts on your phone to save £3 on your phone bill might mean your family doesn't have to skip a meal. Of course it will not only be poorer people who will take Tesco Mobile up on this offer, but the incentive to give up some privacy in this case is surely stronger for poorer people.

We don't want a society where richer people can afford to retain their privacy and poorer people give up their privacy to make ends meet.

This is similar to what Christopher Soghoian, the ACLU’s principal technologist, calls the "digital security divide". Richer people are more likely to be able to afford Apple's iPhone which is encrypted by default. Most people buy cheaper Android phones which are not encrypted by default. In effect this makes it more difficult for thieves to unlock phones belonging to rich people than poorer people.

Customers should be cautious and consider the implications on their privacy before giving up their privacy for a discount. And if this business practice continues, or expands to other sectors, there is a danger that some people will feel they cannot afford not to give up their privacy.

[Read more]

June 13, 2016 | Slavka Bielikova

Investigatory Powers Bill Report stage and Third Reading

MPs discussed and voted on the Investigatory Powers Bill last week in the report stage of the Bill's progression through Parliament. This was MPs' third vote before the Bill was sent to the House of Lords. The Bill was passed by a vote of 444 to 69. Here's an overview of the points that were raised for discussion – many of which will be debated again by the Lords.

Privacy Clause

There have been repeated calls for an overarching privacy clause to be added to the Bill. The Home Office attempted to address this previously by inserting the word 'privacy' into a heading within the Bill, which was greatly derided. This time the Government proposed a new Privacy Clause 5; Labour also proposed their own privacy clause, Clause 21. It has been pointed out that the two clauses are very similar. Keir Starmer MP argued that Labour's clause tightened up references to human rights and public law. However, after discussion, he backed down in favour of the clause proposed by the government.

This clause only pays lip service to privacy and does little to restrain the powers in the bill.

Bulk Powers and warrants

Bulk powers were discussed extensively over the two days' debate. The Government has agreed to an independent review of bulk powers that opposition parties had asked for. This review will be carried out by David Anderson QC.

Conservative party defended bulk powers with many MPs using 'nothing to hide, nothing to fear' arguments.

Suella Fernandes MP (Conservative) even went as far as to justify the necessity of bulk powers by claiming we are in a war (in this particular case against Daesh). John Hayes followed her statements by saying it is not important whether the powers are necessary. What matters are safeguards that come with the powers.

Dominic Grieve (Conservative) emphasised that the Information and Security Committee recommended to remove bulk equipment interference warrants from the Bill. Grieve also explained that he finds bulk powers necessary; targeted interception (suggested instead of bulk collection), according to him, is not always effective if it is not clear what the intelligence are looking for.

Labour were broadly supportive of the Government. Keir Starmer (Labour) made references to the necessity of bulk powers for intelligence agencies several times in his speeches. He explained he understood their importance to tackle threats since he served as the Director of Public Prosecutions and worked closely with the agencies.

He was interrupted by David Winnick (Labour) who clearly stated that he doesn't accept the principle of bulk powers. Starmer responded with the reasoning that these powers are in use already and as such should be put in law so they could be regulated.

Starmer further expressed his appreciation to the Home Secretary for setting up the independent review of bulk powers to be conducted by David Anderson. MPs requested that Keir Starmer and John Hayes publish their letters on the terms of reference for the review they exchanged prior to the debate.

The SNP opposed the call for necessity of bulk powers in the Bill. Joanna Cherry MP (SNP) also welcomed the review of bulk powers; however she was more concerned with the consequences of the findings of the review. She stressed that the review needs to consider whether these powers are necessary at all. Cherry maintained the position that bulk powers go too far in a democratic country and should be removed from the Bill until the review establishes their necessity.


The Chair of the Intelligence and Security Committee (ISC) Dominic Grieve MP brought up issues of penalties several times from various angles. His first point of concern was about lack of penalties for abuse of power in the Bill. Minister Hayes assured him that these will be in place. Grieve requested that the Minister writes to him explaining what penalties will be incorporated in the Bill. He also pointed out that the penalties remain scattered throughout the whole Bill and would need a better structure.

Hacking warrants

Stephen McPartland MP (Conservative) raised an issue businesses might face when they would need to comply with a hacking warrant. As laid out in codes of practice, communications service providers would be subjected to a technical capability notice, meaning they would need to notify the government of new products and services in advance of their launch. Essentially, UK-based companies will have to ask the government for permission to put their product on the market. This requirement will make it more difficult to innovate and could have harmful effect on the UK economy.

Parliamentary privilege

New amendments discussed included extra protections for MPs against interception of their communications. According to the amendments, the Prime Minister will be responsible for approving hacking of MPs. Harriet Harman disagreed with this provision on the grounds of the PM potentially using this power for spying on the opposition and ministers.

Journalistic protections

New amendments were brought in to introduce minor changes to protect journalistic sources. However the MPs still debated who qualifies as a journalist. Andy Burnham voiced his opinion that voluntary bloggers shouldn't have the same protections as journalists.

Request Filter

Stephen McPartland (Conservative) brought up the issue of the request filter through probing amendments with an intention to obtain more information from the Minister. The biggest concern he voiced was regarding too many agencies having access to the request filter and Internet Connection Records. He also questioned who will be in charge of building the filter. McPartland pointed out that government has a notoriously bad record of building large IT projects and the filter might not even become a reality.

The Solicitor General responded that the request filter is there to limit what different agencies access. The Government has attempted to frame the request filter as something that restricts access to data but in reality it would create a vast population-wide database that could be analysed without a warrant.

Independent review of bulk powers

This topic has come up several times despite it being discussed at length the previous day. The main point of the discussion was the question coming from the SNP bench whether the Minister (John Hayes) will consider removing the bulk powers provisions from the Bill if David Anderson's review will show they are not necessary. John Hayes avoided answering the question.

The Bill will be introduced to the House of Lords on 27 June 2016.

[Read more] (1 comments)

June 10, 2016 | Javier Ruiz

What the Commons changed in the #IPBill

The short answer is: not a lot, and nowhere near enough. As Andy Burnham and the Labour opposition has claimed they have made progress with the Investigatory Powers Bill, here is the low down of what really happened.

andy_burnham-cc-by-nc-thebma.jpgThe vast majority of amendments presented by opposition parties were rejected with little discussion. Many were withdrawn as they were designed as probing amendments, aiming to force the government to explain itself and tease out justifications for policies. In practice sometimes it can be better to withdraw an amendment than push through a vote, as this allows for the option to re-introduce the proposal at a later stage when it may have better chances.

The government also proposed various amendments that were approved. This included some new clauses and smaller changes. The clause numbers below refer to the latest version of the bill as presented to the House of Lords, and may change when it becomes act.

General duties in relation to privacy (Cl 2)

The government and the Labour front bench have been patting each other's backs over this new clause, but we do not believe it will have a major impact. The clause asks to check “whether what is sought to be achieved by the warrant, authorisation or notice could reasonably be achieved by other less intrusive means”. It also mentions considerations for the integrity and security of systems and privacy in general.

This sounds good, but it is what those responsible for surveillance are supposed to have been doing all along. For example, internal MI5 documents produced in court show that these questions have been part of the requests for bulk datasets. It is unclear how this is ever challenged.

Modifications to interception and equipment interference warrants (Cl 32, 33, 34, 35, 111, 112, 114, 115, 172...)

There are quite a few new clauses on modifications to warrants, with restrictions to the changes that can be made. E.g. warrants for a single person, organisation or premises cannot be changed. The main substantial changes are a new requirement to notify a Judicial Commissioner of major modifications to interception or hacking warrants; and the need for a Commissioner’s approval in cases involving MPs or lawyers.

Tightening of modifications was one of the demands from Labour, while we have seen some concessions here, we do not think that notifications are enough.

Health records (Cl 187)

Another demand from Labour that has seen some concessions from government is restricting access to health records. The new clause requires an intelligence service to take special steps when making an application for a specific BPD warrant relating to health records, which are only to be kept and examined under “exceptional and compelling circumstances”. Unfortunately, exceptionalism has become the norm in the world of security, so this may provide little practical protections.

The clause also has some potential loopholes in that it only applies to specific warrants, and possibly not to class warrants, and then only to health records obtained from health professionals or health service bodies. It is possible that health records obtained from insurers or researchers are not covered by these safeguards.

Approval of national security and technical capability notices by Judicial Commissioners notices by Judicial Commissioners (Cl 227)

This new clause makes is arguably the biggest improvement so far in practical terms. Bringing Judicial Commissioners into the technical aspects of surveillance meaningfully will require some serious technical capacity in their teams. Unfortunately, as in the rest of the bill, the Judicial Commissioner must apply the same principles as would be applied by a court on an application for judicial review.

Extra safeguards for MPs (Cl 26, 105)

Lawful interception or hacking of MPs' communications will require the Prime Minister to approve the warrant. MPs may still be included in bulk data collection but not in a targeted manner.

The Human Rights Committee and many MPs wanted the Speaker of the House to be notified to ensure surveillance could not be used for partisan purposes. After all the PM could be as tempted to spy on the opposition as his ministers. Unfortunately this provision was not agreed.

Trade unionists (Cl 20.6)

This has been claimed as a major achievement by Labour. The clause says that trade unionists cannot be targeted just because of this factor. Given the history of trade union attacks by the security services, sadly it is good to have it in the bill; but in practice it is likely that an investigation on trade unions would be justified under other rationale. The clause also leaves out other legitimate forms of association, social and environmental campaigning. As unions increasingly engage in “community organising” outside the workplace, they may see fewer benefits form this clause.

Journalists (Cl 73)

There are some small changes to ensure there is a public interest case in identifying or confirming sources of journalistic information. The NUJ does not believe these go far enough and recommended other ammendments that were not passed.

Civil liability for certain unlawful interceptions (Cl 8)

A minor but important change. Somehow, the draft bill forgot to incorporate the provisions in section 1(3) of the Regulation of Investigatory Powers Act 2000, which provide for civil liability in certain cases of unlawful interception in a private telecommunication systems. The clause simply closes that loophole, and shows what a rushed job this whole bill is.

[Read more]

June 07, 2016 | Jim Killock

It’s not over. We keep fighting.

We’d like to thank you for all the work you’ve done so far to challenge the IPBill. MPs voted in favour of the Investigatory Powers Bill by 444 to 69. This was disappointing but expected - we know how hard the Government is trying to push this Bill through.

GCHQBut thanks to your campaigning, some MPs - particularly Joanna Cherry, David Davis, Alistair Carmichael and Stephen McPartland - did a great job in putting the Government under pressure. SNP, Lib Dem and Green MPs voted against. Many other MPs know that this matters to you, through your emails and tweets to MPs. And our campaign video, which many of you fund raised for, brought the bill to the attention of over 2 million social network users.

The fight isn’t over. First, the Bill will now be debated in the House of Lords where they’ll be putting the bill under more scrutiny. We have more chance of getting the amendments we’ve been fighting for in the Lords and we’ll be making them aware of the Bill’s flaws. The Lords have a recent track record of pushing back on bad legislation.

There are also important court cases coming up that we have intervened in. In particular, data retention and use of the police search engine called the “Filter” in the #IPBill could still be wounded by the Davis and Watson case. In this case, the High Court ruled that parts of the Data Retention and Investigatory Powers Act (DRIPA) were unlawful. 

It is ORG’s arguments on EU law and the applicability of the Digital Rights Ireland judgment that are making the running.

When Government appealed, the case was referred to the Court of Justice of the European Union. We made the argument that blanket data retention could not be necessary and proportionate. The court will clarify how EU law applies to UK data retention, which will be crucial. We will hear back from the court this summer, before the bill finishes in the Lords.

Whatever the government do, we will challenge mass surveillance in the courts. It is not acceptable to blur the line between legitimate, targeted surveillance of criminals, and the bulk analysis of whole population data.

Please help us to keep on fighting. Join us so we can continue to stand up to mass surveillance, first in the Lords, then in the courts.

[Read more] (3 comments)

June 03, 2016 | Jim Killock

Understanding and reviewing the bulk powers in the IP Bill

Parliament wants an independent review of the bulk powers contained in the #IPBill. This is a difficult task and there are significant requirements that need to be met if we are to value the results.

This post represents the opinions of Privacy International and the Open Rights Group. Other organisations are welcome to add their names as being in agreement.

files cc-by-nc plashingvole flickrThe public operational case for bulk powers and review

The majority of the powers in the Investigatory Powers Bill are new to Parliament. While much of the capability is already in use by the security and intelligence agencies, they have been deployed under secret interpretations of statutes, which Parliament has not consented to. The primary reason they were not able to consent to them is because the fact of the bulk powers were not avowed until very recently, and indeed, some are still not avowed.

As this is the first time that Parliament has considered the powers, it is right that the Government make full, detailed, operational cases from first principles for every such new power, and that case is scrutinised.  As of yet, the Government’s attempts at providing an operational case have been insufficient.  There is much work to be done to give Parliament and the public a full picture of scope and utility of the bulk powers.

An Independent Review

An independent assessment should be made of the operational case for each bulk power by a security-cleared panel who will have additional fact-finding powers, allowing them to scrutinse material that for national security reasons can't be made public. To this end, the launch of a review panel is a welcome one.

The review is a step forward in ensuring democractic accountability for the actions of our security and intelligence agencies. But to be credible, the review must:

1 Establish public terms of reference.

No terms of reference have yet been set. It is essential that terms of reference is agreed and made public immediately.

2 Take the time that is needed.

The panel cannot undertake a full review of the bulk powers contained in the Investigatory Powers Bill in the time frame provided. To to so, an assessessment of the three security and intelligence agencies investigative capabilities would be required which will be impossible with the resource currently available to the panel. Should the panel expand the scope of their review or feel they are unable to complete the review with the level of rigour required in the time available, a time extension must be permitted, with the bulk powers split from the IPBill until the review can report back to their satisfaction.

3 Be produced by a balanced panel.

Perspectives from outside the intelligence community are needed to ensure independence inclduing civil libertities and human rights expertise. We recommend in particular the inclusion of a technical expert from outside the intelligence community, as well as the ability for the panel to request technical assistance from agencies in the form of seconding a technical staffer of the panels choosing to work for the scrutiny panel. Recent panel reviews of bulk powers in the US should be consulted to ensure lessons are learned. 

4 Examine the capabailities and their use, rather than the legal powers.

It would be unsatisfactory to review the high-level case for bulk powers without analysing how they have, and continue to be used in fact. The production of a new public operational case is only the beginning of that exercise. The bulk powers are drafted in such a way that there is considerable variety of technical capabilities that could be deployed under each of the bulk powers. The review must analyse the case for the capabilities, rather than just the power. 

Capabilities the panel should consider include those that have had least scurinty such as Bulk Communications Data Acquisition, Bulk Equipment Interference due to their late avowal, or in the case of Bulk Equipment Interferance continued disavowal. Longstanding concerns about Bulk Interception of secondary data will also need detailed scrutiny.

5 Test the necessity of the bulk powers, not merely their usefulness.

Such capabilities need to be assessed, not as to whether they are merely helpful, faster or offer some form of value, but that given the likely widespread intrusion bulk powers result in, that they are strictly necessary to prevent attacks in the UK. An essential aspect of this requires analysing case studies provided by agencies to determine whether more targeted measures could achieve the same or a similar goal. 

6 Report publicly.

Unlike previously sensitive reviews, such as Nigel Sheinwald's review of the UK-US data sharing which remains classified, the review's report must be a public document.

The Government’s Current Operational Case

The existing 47 page "operational case for bulk powers" which was published alongside the introduction of the Bill is inadequate.  More than half of the document is introductory in nature, covering topics such as how the internet works, leaving an average of 5 pages devoted to each capability, with most of that material being already public, in other explanatory documents. Despite the opportunity to provide concrete, solid examples of how bulk powers bring unique value, most of the material even within each section is kept at a high level. By way of example, the first three pages of the four page Bulk Interception case, covers (i) introduction to the power, (ii) current legal position, and (iii) new safeguards in the IPBill. The fourth and final page provides three one-paragraph case studies.

A new public operational case needs to be made. This operational case must go further than setting out individual, unsupported case studies. Sufficient material should be made public to permit detailed analysis, and stand the scrutiny of parliamentarians, civil society, academia and any other body.

[Read more] (1 comments)

: Electronic Voting - Response to Scottish Government's consultation on Electoral Reform-->
  • June 28: ORG Edinburgh: Social with Chief Operating Officer Martha Dark
  • ORG Aberdeen: Cryptonoise May 2018
  • ORG Glasgow: A discussion of the General Data Protection Regulation (GDPR)
  • ORG Aberdeen: March Cryptonoise event