May 08, 2017 | Mike Morel

A brief chance for better UK data protection law

The EU’s General Data Protection Regulation (GDPR) comes into force next year, updating a number of digital rights for UK citizens in the age of Big Data. Individuals stand to gain more control over their information and improve their awareness of consent, profiling, and automated decision making.

Department of Culture, Media & SportHowever, the GDPR’s enforcement within member countries has considerable flexibility. Of the many options within the law, one particularly crucial rule hangs in the balance–Article 80(2).

This rule permits privacy groups like ORG to independently represent the public in complaints about data protection law. Without it, privacy watchdogs like ourselves, Liberty or Privacy International would instead have to rely on individuals to bring a complaint.

But individuals do not always have the knowledge, expertise or time to identify and dispute faults in arcane terms and conditions. By ensuring Article 80(2) is enforced, privacy advocates will be free to directly address the Information Commissioner when corporations exploit your data.

The good news is there is something we can do about it. The Department of Culture, Media & Sport (DCMS) is currently holding a public consultation on the GDPR. The poor quality of this hurried consultation suggests this could be easily overlooked and forgotten about. That means we need your help to get Article 80(2) brought into UK law.

Time is short. The brief consultation ends Wednesday May 10. We have until then to make our voices heard. Click here to tell the DCMS to enforce Article 80(2).



[Read more] (1 comments)

May 04, 2017 | Jim Killock

DCMS consultation on data privacy fails to explain why it matters

New data privacy rights under the General Data protection Regulation depend on a UK consultation which tells readers nothing about its implications

The General Data Protection Regulation (GDPR) sets out many new rights for UK citizens, including better notions of consent, the right to obtain and download your information, and to delete it at a company. You can also find out more about profiling and automated decision-making. There are big fines available when companies don’t comply after it comes into force in mid 2018.

However, many of the new rights will depend on enforcement. One of the better ideas in the regulation is to allow privacy groups to represent citizens in complaints, without having to find specific people who have been directly affected. The GDPR requires member states to choose to allow this, or not, in Article 80(2). We of course very much believe this should be legislated for.

There is a consultation being run by DCMS until Wednesday 10 May on all the different options allowed under the GDPR—and there are quite a few.

However, this consultation is another very disappointing piece of work. Shoddy, even, because it calls for evidence and views, but sets out no background at all for the consultation, so only experts can practically respond. It merely states:

Theme 9 - Rights and Remedies

Rights and Remedies

The derogations related to Rights and Remedies include articles:

Article 17 - Right to erasure ('right to be forgotten')

Article 22 - Automated individual decision-making, including profiling Article 26 - Joint controllers

Article 80 - representation of data subjects

Government would welcome your views on the derogations contained in the articles above. Please ensure that you refer to specific articles/derogations.

There is no way that an average reader could understand the implications of this consultation, which, just like the recent Home office consultation on the IP Act Codes of Practice, means that the consultation appears to breach Cabinet Office guidelines, which state that consultations should:

Give enough information to ensure that those consulted understand the issues and can give informed responses.

This consultation provides exactly no background information whatsoever. You wouldn’t begin to understand that they want to know if you are in favour of privacy organisations being able to make complaints to the ICO under Article 80, or not.

We feel sympathy for the staff at DCMS who have been asked to set out this consultation, and presumably have been prevented from spending time developing background documents due to capacity constraints. This should serve as a warning to us.

Once Brexit kicks in, DCMS staff will need to be able not just to recycle existing policy advice from EU and other organisations on legislation prepared elsewhere, but also to have the expertise to evaluate it and recommend changes. Under the Great Repeal Bill, they may have to advise ministers about things to remove, with little Parliamentary involvement — potentially including aspects of the GDPR of course.

Right now, however, DCMS officials appear to lack the capacity to even produce decent consultation documents for key privacy laws like the GDPR. Ministers should be demanding more resources, or we will start to see serious policy mistakes being made.


[Read more] (1 comments)

May 03, 2017 | Mike Morel

ORG delivers anti-Espionage Act petition to the Law Commission

Today marks the end of the Law Commission’s public consultation on their proposals to create a new Espionage Act that would jail whistleblowers and journalists who handle official data. Open Rights Group gave them exactly what they asked for―the voices of 23,385 members of the public, delivered right to their offices at the Ministry of Justice.

The Law Commission is located within the Ministry of JusticeORG’s petition broadly rejects The Law Commission’s proposals and demands they be dropped. The threat of up to 14 years in prison would have a chilling effect on whistleblowers and the reporters they contact, weakening free speech and the integrity of UK democracy.

Thank you to all the ORG supporters that signed the petition or emailed the Commission: they now know that thousands of citizens refuse to live in a country where journalists and government staffers are afraid to expose corruption.

We urge the Law Commission to take your requests seriously. That would be a huge improvement over the sham “consultation” that barely took place while the initial report was developed. Contrary to the Commission’s statements, they worked closely with government officials and lawyers while organisations like ORG, Liberty and the Guardian were given short shrift.

Whether the Commission’s final recommendations will take the public consultation into account remains to be seen. Meanwhile ORG supporters have given them no option to claim public support for a new Espionage Act.

ORG also submitted a comprehensive report along with the petition detailing concerns about the Commission’s proposals. Highlights include:

  • The Law Commission is not being upfront about their aims. Their proposals are obviously in response to the Snowden leaks but they do not mention this or other major cases related to the disclosure of official data. It is blatantly disingenuous to overlook such important cases and not consider how the powers in a new Espionage Act could have been used in these cases.

  • Their proposals go against the very essence of whistleblowing by requiring concerns about corruption or malpractice be reported to an internal ombudsman. Whistleblowers have often tried to raise concerns internally and got nowhere. Whistleblowing is a last resort to expose hidden injustices that are not being dealt with within organisations.

  • Their proposals take away far too many rights from the accused. The Government would only have to show that a defendant was aware of the damage that could be caused by disclosing information - even if no actual damage was caused. So even if journalists expose wrongdoing, like the MPs expenses scandal, they could not use a statutory public interest defence.

  • The proposals threaten free speech. Editors, journalists and whistleblowers would be intimidated by the risk of up to 14 years in prison just for handling data.

  • The UK Government recently enacted the most extreme surveillance law of any democracy, the Investigatory Powers Act. At a time when these powers should be scrutinised, these proposals would criminalise whistleblowers and journalists acting in the public interest.

[Read more] (1 comments)

May 01, 2017 | Jim Killock

Automated censorship is not the answer to extremism

Unbalanced Home Affairs Committee recommendations would threaten free expression

Today’s report by the Home Affairs Select Committee brands social media companies as behaving irresponsibly in failing to remove extremist material.

It takes the view that the job of removing illegal extremist videos and postings is entirely the responsibility of the companies, and does not envisage a role for courts to adjudicate what is in fact legal or not.

This is a complex issue, where the companies have to take responsibility for content on their platforms from many perspectives, including public expectation. There are legitimate concerns.

The approaches the committee advocates is however extremely unbalanced and could provoke a regime of automated censorship, that would impact legal content including material opposing extremism.

We deal below with two of the recommendations in the report to give some indication of how problematic the report is.

Government should consult on stronger law and system of fines for companies that fail to remove illegal content

Platforms receive reports from people about content; the committee assume this content can be regarded as illegal. Sometimes it may be obvious. However, not every video or graphic will be “obviously” illegal. Who then decides that there is a duty to remove material? Is it the complainant, the platform, or the original publisher? Or an independent third party such as a court?

The comparison with copyright is enlightening here. Copyright owners must identify material and assert their rights: even when automatic content matching is used, a human must assert the owner’s rights to take down a Youtube video. Of course, the video’s author can object. Meanwhile, this system is prone to all kinds of errors.

However, there is a clear line of accountability for all its faults. The copyright owner is responsible for asserting a breach of copyright; the author is responsible for defending their right to publish; and both accept that a court must decide in the event of a dispute.

With child abuse material, there is a similar expectation that material is reviewed by the IWF who make a decision about the legality or otherwise. It is not up to the public to report directly to companies.

None of this need for accountability and process is reflected in the HASC report, which merely asserts that reports of terrorist content by non-interested persons should create a liability on the platform.

Ultimately, fines for failure to remove content as suggested by the committee could only be reasonable if the reports had been made through a robust process and it was clear that the material was in fact in breach of the law.  

Social media companies that fail to proactively search for and remove illegal material should pay towards costs of the police doing so instead

There is always a case for general taxation that could be used for the police. However, hypothecated resources in cases like this are liable to generate more and more calls for specific “Internet taxes” to deal with problems that can be blamed on companies, even when they have little to do with the activity in reality.

We should ask: is the posting of terrorist content a problem generated by the platforms, or by other wider social problems? It is not entirely obvious that this problem has in some way been produced by social media companies. It is clear that extremists use these platforms, just as they use transport, mail and phones. It appears to be the visibility of extremists activities that is attracting attention and blame on platforms, rather than an objective link between the aims of Twitter and Facebook and terrorists.

We might also ask: despite the apparent volumes of content that is posted and reposted, how much attention does it really get? This is important to know if we are trying to assess how to deal with the problem

Proactive searching by companies is something HASC ought to be cautious about. This is inevitably error prone. It can only lead one way, which is to over-zealous matching, for fear that content is not removed. In the case of extremist content, it is perfectly reasonable to assume that content opposing extremism while quoting or reusing propagandist content would be identified and removed.

The incentives that HASC propose would lead to censorship of legal material by machines. HASC’s report fails to mention or examine this, assuming instead that technology will provide the answers.


[Read more] (1 comments)

April 05, 2017 | Jim Killock

A privacy disaster waiting to happen—the #DEBill on third reading

Today the Lords have their final debate on the Digital Economy Bill. No substantial changes are planned. This means all of the very severe problems with age verification, censorship and copyright sentencing still exist. Only in Part 5, about data sharing, has the government made significant improvements, although problems remain.

Age Verification: a privacy disaster waiting to happen

Age Verification is fraught, and likely to result in a chilling effect, where adults avoid visiting websites because of fears around the age verification technology. It is unclear that it is addressing a pressing social need; and while children do need support and education, a solution addressed at all adults is the wrong way to attempt it.

However, let us turn to the specifics.

Despite assurances that pornographic publishers will be obliged to use age verification tools that are privacy-friendly, the approach is almost certain to go wrong.

The government has chosen to leave the market to specify and provide the actual tools. They expect websites, rather than users, to choose which age checking product is used.

At this point we should remember that one website operator, MindGeek controls the majority of the UK porn market. They are also keen to implement Age Verification, according to the government. The result will be that they will choose and probably own the dominant age verification product.

While we cannot know exactly what MindGeek would do, we should remember that they will be able to shape the AV product how they like. They could allow users to opt into lots of convenient services, such as saving their porn preferences, getting recommendations, and having their credit card details ready for quick and easy payment.

So long as these services and tracking of vast numbers of UK porn users is voluntary … then there is little that could be done to challenge it.

The consequences for privacy are enormous. New risks of tracking people’s sexual preferences will be created, and possibilities of data leaks will abound. It will be the government’s decisions that created this problem, as they failed to impose sufficient safeguards upon  the age verification market.

Censorship: how much blocking would you like?

Any commercial pornographic website that doesn’t offer Age Verification can be blocked under the powers in the Digital Economy Bill. This blocking is meant to be a punishment: but the result will be the censorship of legal material.

The BBFC and government have attempted to assure people privately that the numbers of blocks will be low, and based on market share.

However, the power in the Bill is not limited in this way. How much is blocked is purely a policy and financial choice. The door is open for the government to be lobbied to block vast numbers of entirely legal websites. And there are plenty of people who think this would be a wise and necessary step, including MPs.

Copyright: dangerous criminal penalties for online infringement

For whatever reason, the government resisted our suggestion to limit criminal sanctions to “criminal scale” infringements or serious risks of “criminal scale” infringement.

The result is that any intentional infringement is a criminal matter. This is very different to the offline world, where large scale organised activity is required before criminal charges can be brought.

This cannot be proportionate; and it is not sufficiently foreseeable. While minor infringements may not be brought to court, it makes it impossible to know when something might attract a criminal charge. For individuals, the risk of “copyright trolls” issuing threats, or lawyers giving clients bad advice, can only increase.

Data sharing

The data sharing part of the Bill has undergone significant changes and will leave the House of Lords in an improved state. Following pressure from several civil liberties groups and the Delegated Powers and Regulatory Reform Committee, the Government tabled and passed important amendments on codes of practice and brought forward changes that narrow down definitions of public authorities.

We welcome that the Government specified the list of persons who may disclose and receive information both for public service delivery and for debt and fraud related to the public sector on the face of the Bill. The process of specifying persons entitled to participate in data sharing will be more transparent by not leaving all of these powers up to the Minister.

The Government also amended the Bill to require a specific public authority to only access data for purposes which are in line with its functions. The Bill ties functions of a public authority and its objectives closer together and it will create a more transparent environment where public authorities will be prevented from accessing data for purposes out of scope of their functions.

The Codes of Practice were made statutory by the Lords. Both Houses of Parliament must  approve the Statutory Instrument before it becomes law. We repeatedly advocated for this amendment since most of the safeguards are placed in the Codes of Practice and not on the face of the Bill. Without statutory footing, the codes would have less statutory force and safeguards in the Codes wouldn’t be enforceable.

However the Government has not at all addressed the bulk use of civil registration data and they have not changed their stance on review for all the powers in Part 5 on data sharing.

Chapter 2 provides for the sharing of civil registration for any public body's functions without restrictions. The power is intended for bulk data sharing of the full civil register across government but this power hasn’t been sufficiently justified by the Government.

This Chapter leaves several questions without clear answers. We don’t know how these large databases will be stored and if at all encrypted. The Government said they have no intention to share the information with private companies but they did not provide a guarantee that they won’t do so in the future. We still believe this power should be removed from the Bill.

The Bill includes provisions on amending and repealing the chapters on debt and fraud after a review. The provisions will prevent Ministers from broadening these powers or removing safeguards from the Bill.

ORG would have liked to see reviews in place for all the powers under Part 5 of the Bill to increase transparency of data sharing and prevent unjustified onward disclosure of data to other public authorities.

The Bill doesn’t clearly state that relevant powers in Part 5 should be for benefit of individuals and not for punitive purposes. This could leave a wiggle room for future changes of purposes of data collection.

What is ORG going to do now?

ORG will be considering our options, including Judicial Review. These are very serious matters and nobody else will be stepping up to deal with them.

Join today

If you want to help our work, please join today. By joining you will help us beef up our legal team, led by Myles Jackman. We can only win with support from people like you.

[Read more] (5 comments)

March 27, 2017 | Ed Johnson-Williams

Encryption must not be a dirty word. Here're 5 ways we all rely on it

Encryption keeps us safe. Politicians must not threaten to weaken it.

padlock over dataBritish politicians are again putting pressure on Internet companies to make sure the Government can access end-to-end encrypted messages. We thought we'd remind them why encryption keeps us safe and secure.

1. Our national infrastructure depends on encryption

Our power stations, transport systems, hospitals and military all rely on encryption to communicate securely. They need encryption so they can reliably send and receive accurate, trustworthy information. Without that, our national infrastructure would be immeasurably more susceptible to attacks from other countries, non-state hackers, and criminals.

2. Our economy depends on encryption

Our banks, stock exchanges, payment systems, and shops also need to be able to send and receive reliable information without criminals or foreign powers' intelligence agencies intercepting or tampering with the transaction. We need to be confident that when we pay for something our data is secure. Our economy relies on that confidence and that confidence is made possible by encryption.

3. Our free press depends on encryption

When sources contact journalists with sensitive information about MPs' expenses, the Panama papers or the Snowden files, they rely on encryption to make sure they can blow the whistle. Sources can use encrypted communications to pass evidence of corruption and abuse to journalists in a secure way. That helps keep us informed and our press free.

4. Our online security depends on encryption

Nearly every major website's web address starts with HTTPS – keeping the connection between your computer and that website encrypted. Encryption stops someone snooping on your web use and intercepting your usernames and passwords when you're in a coffee shop.

5. Our devices’ security depends on encryption

Once you’ve encrypted your laptop, tablet, or phone, if someone gets their hands on your locked or powered-off device, they would need your password to decrypt and access the data. This stops thieves from stealing your phone and then accessing your emails, contacts, and texts.

Join ORG

Help us to challenge politicians’ dangerous and misleading comments about encryption. Join ORG today!

[Read more] (1 comments)

March 27, 2017 | Jim Killock

Amber Rudd already has sweeping powers to attack encryption

Amber Rudd has engaged in another attack on people’s security by suggesting that companies must be able to ‘remove’ encryption.

Amber Rudd MPThe striking thing is that if she was genuinely serious about her suggestion, she would not be making public demands; she would be signing legal orders to force companies to change their products. She would not be telling us about this.

Last year, the UK Government passed the Investigatory Powers Act, which gives British law enforcement and intelligence agencies vast surveillance powers.

These powers already purport to grant the minister the ability to issue a “Technical Capability Notice” with which Amber Rudd could instruct WhatsApp to re-engineer their product to be surveillance-friendly.

The TCN could, for instance, instruct WhatsApp to enable an invisible “third recipient” in the case of targeted individuals. Thus, even without asking providers to remove or weaken encryption, the UK believes it has found a way to legally compel companies to provide information from supposedly secure products.

There are enormous problems with TCNs. They can be “appealed” to a technical committee but it is unclear how well the process will ever deal with wider security concerns, or risks to the companies or their users. The process seems focused on ‘feasibility’ rather than whether introducing weaknesses is a good idea.

Fundamentally, anything which enables GCHQ to listen in could be available to someone else, whether another government, or perhaps a criminal who learns how to abuse the weakness.

These notices are not subject to any public guidance about their use. Unlike interception of communications, equipment interference (hacking), bulk communications data acquisition (mass surveillance), bulk personal datasets (everything government knows about you) and National Security Notices (orders to act), which have public codes of practice and the Home Office claims to be “consulting on” there is no obligation for a Code of Practice on TCNs which might give some insight into how these issues might be balanced.

Those codes that have been published for consultation contain 415 pages of dense detail, a mere 15 paragraphs of explanatory information, while the public, lawyers and business have been given a mere six weeks to work out what they mean.

As you can imagine, the powers outlined the codes for interception of communications, equipment interference and bulk communications data acquisition will grant Ms Rudd many avenues to surveil the likes of Adrian Elms.

We should use Amber Rudd’s cheap rhetoric as a launch pad to ask ourselves why she has such sweeping powers, and what the constraints really amount to.

Join ORG

Help us to challenge politicians’ dangerous and misleading comments about encryption. Join ORG today!

[Read more] (2 comments)

March 22, 2017 | Javier Ruiz

MEPs start push back on online copyright censorship

A report for a committee of the European Parliament has pushed back against proposed legislation that would force the filtering of user-uploaded online content and restrict the use of press content online.

The EU is introducing some major changes to copyright legislation under a programme to improve the European Digital Single Market. This reform has reached an important milestone with the publication of a long-awaited report on a proposed new Directive. These changes will affect the UK after it leaves the EU, although the exact impact will depend on the level of access to the single market achieved after the negotiations between the UK government and the EU.

The proposed Directive on Copyright in the Digital Single Market contains measures that could have a negative impact on citizens. They include restricting the reuse of press content online and forcing platforms to censor user uploaded content. These proposed measures seem designed to protect incumbent European media conglomerates from Silicon Valley but will do little to promote a vibrant European digital sector.

The final report on the Directive for the Legal Affairs (JURI) Committee by Rapporteur MEP Therese Comodini Cachia’s (EPP, Malta) will provide the main point of scrutiny by the European Parliament, setting the lines for the final plenary vote. The draft report will now be open for amendments by MEPs from the committee until 30 March.

MEP Comodini Cachia should be commended for taking input from a variety of organisations - Including ORG through C4C - and not only the industry lobbies that hold such a disproportionate hold on policymaking around intellectual property.

Possibly due to these diverse perspectives, her report marks a shift from the latest stages in the debate towards a more balanced approach that considers both the interests of copyright owners but also the rights of users. We still think that Ms Comodini could have gone further in certain areas.

Removal of the proposed press publishers’ right

The report proposes to delete the Commission’s proposal for a brand new copyright-like right for press publishers introduced by the Commission to widespread dismay from copyrights experts, who have made clear that the introduction of a new right is unnecessary and would create a whole array of new problems.

The report rejects the argument that the Internet is intrinsically damaging to the press, with news portals and aggregators actually allowing readers to find more sources of news. This is evidenced by the experience of Spain, where a compulsory licence on news aggregators led Google to pull out its news service for that country, as they do not make any profit from it. This led to a drop in traffic to small publications.

There is broad agreement though that news publishers face serious challenges from online platforms. Some publishers have demanded a new right because they claim that they simply cannot enforce the existing copyright in their publications when news articles are copied by third parties, due to complex contractual relations with the authors of the pieces.

Ms Comodini proposes an alternative to a new right by giving publishers more powers to enforce existing copyright, which should provide enough protection. Her Amendment 52 gives press publishers legal standing to represent the authors of the works contained in their publications, being able to sue in their own name to defend the rights of such authors for the digital use of their press publications.

This is a very sensible proposal that should be supported by MEPs.

Improvements to filtering of user content by online platforms

The proposals would amend Article 13 of the draft Directive, which sets out obligations for online platforms to monitor and filter user content. These obligations would now be restricted to ensuring that agreements are concluded with rightsholders for the use of their works, removing references to “prevent the availability on their services of works or other subject-matter identified by rightsholders”.

The draft Directive makes platforms primarily responsible for preemptively checking that user uploaded content does not breach copyright. The report changes this, with rightsholders being responsible for identifying any misuse of their works, rather than prescribing “content recognition technologies” to be applied by online platforms. These changes go a long way to soften some of the worst aspects of the Draft DSM Directive by removing automated censorship.

The report also makes clear that copyright exceptions must be respected in any measures implemented and users shall have access to a court to “assert their right of use” (Am 60). This is very important when it comes to parody or criticism.

There are, however, some potential problems. We share concerns raised by the Copyright 4 Creativity (C4C) group that certain amendments could drag a broader array of online providers under these measures.

The original proposals were meant to cover services that both stored user uploaded files and made these available online, squarely aimed at YouTube. Removing the references to “storage” when defining the type of online services that would be in scope for these measures could widen the scope to many more online services.

Despite the improvements introduced by Ms Comodini, we recommend that MEPs vote for amendments that simply delete these provisions rather than trying to minimise them, as we cannot predict how they will be used, or misused, in the future.

A handful of US digital companies - Google, Facebook, etc. - have cornered the market and are at war with traditional media from news to music. Internet users are caught in the middle of this war when they upload and share the things they like.

Proposing that intellectual property agreements must be in place for all platforms actively making available user-uploaded content will create massive barriers to entry for new projects and damage the interactive nature that has characterised the internet in recent times. The explosion of free expression by ordinary citizens is something that should be celebrated and protected by governments, not traded in backroom deals between giant industry groups.

[Read more] (3 comments)