Liberty News

There are references to a review of Counter-terrorism and a Commision for Countering Extremism which will include Internet-related policies. Although details are lacking, these may contain threats to privacy and free speech. The government has opted for a "Digital Charter", which isn't a Bill, but something else.

Digital Charter

This isn't a Bill, but some kind of policy intervention. Perhaps the Digital Charter will be for companies to voluntarily agree to, or a statement of government preferences. It addresses both unwanted and illegal content or activity online, and the protection of vulnerable people. The work of CTIRU and the IWF are mentioned as examples of work to remove illegal or extremist content.

At this point, it is hard to know exactly what harms will emerge, but pushing enforcement into the hands of private companies is problematic. It means that decisions never involve courts and are not fully transparent and legally accountable.

Counterterrorism review

There will be a review of counterterrorism powers . The review includes "working with online companies to reduce and restrict the availability of extremist material online".

This appears to be a watered down version of the Conservative manifesto commitment to give greater responsibility for companies to take down extremist material from their platforms. Already Google and Facebook have issued public statements about how they intend to improve the removal of extremist material from their platforms.

Commission for Countering Extremism

A Commission will look at the topic of countering extremism, likely including on the Internet.

This appears to be a measure to generate ideas and thinking, which could be a positive approach, if it involves considering different approaches, rather than pressing ahead with policies in order to be seen to be doing something. The quality of the Commission will therefore depend on their ability to take a wide range of evidence and assimilate it impartially; it faces a significant challenge in ensuring that fundamental rights are respected within any policy suggestions they suggest.

Data Protection Bill

A new Data Protection Bill , "will fulfil a manifesto commitment to ensure the UK has a data protection regime that is fit for the 21st century". This will replace the Data Protection Act 1998, which is in any case being removed as the result of the new General Data Protection Regulation passed by the European Parliament last year. Regulations apply directly, so the GDPR does not need to be 'implemented' in UK law before Brexit.

We welcome that (at least parts of) the GDPR will be implemented in primary legislation with a full debate in Parliament. It is not clear if the text of the GDPR will be brought into this Bill, or whether it supplements it.

This appears to be a bill to at least implement some of the 'derogations' (options) in the GDPR, plus the new rules for law enforcement agencies, that came in with the new law enforcement-related Directive and have to be applied by EU member states.

The bulk of the important rights are in the GDPR, and cannot be tampered with before Brexit. We welcome the chance to debate the choices, and especially to press for the right of privacy groups to bring complaints directly.

German authorities want the right to look at private messages on services such as WhatsApp to try and prevent terrorism. Ministers have also agreed to lower the age limit for fingerprinting minors to six from 14 for asylum seekers.

Ministers from central government and federal states said encrypted messaging services, such as WhatsApp and Signal, allow militants and criminals to evade traditional surveillance. We can't allow there to be areas that are practically outside the law, interior minister Thomas de Maiziere told reporters.

Among the options Germany is considering is source telecom surveillance, where authorities install software on phones to relay messages before they are encrypted. That is now illegal.

Austria is also planning laws to make it easier to monitor encrypted messages as well as building out a linked network of cameras and other equipment to read vehicle licence plates.

Meanwhile Japan is also introducing mass snooping in the name of the prevention of terrorism. See  Japan passes 'brutal' counter-terror law despite fears over civil liberties from theguardian.com

Open Rights Group has responded to Theresa May's post-election hints that she will continue with Conservative plans for Internet clampdowns.

Executive Director Jim Killock said:

To push on with these extreme proposals for Internet clampdowns would appear to be a distraction from the current political situation and from effective measures against terror.

The Government already has extensive surveillance powers. Conservative proposals for automated censorship of the Internet would see decisions about what British citizens can see online being placed in the hands of computer algorithms, with judgments ultimately made by private companies rather than courts. Home Office plans to force companies to weaken the security of their communications products could put all of us at a greater risk of crime.

Both of these proposals could result in terrorists and extremists switching to platforms and services that are more difficult for our law enforcement and intelligence agencies to monitor.

Given that the priority for all MPs is how the UK will negotiate Brexit, it will be especially hard to give the time and thought necessary to scrutinise these proposals.

It could be tempting to push ahead in order to restore some of Theresa May's image as a tough leader. This should be resisted. With such a fragile majority, greater consensus will be needed to pass new laws.

We hope that this will mean our parliamentarians will reject reactionary policy-making and look for long-term, effective solutions that directly address the complex causes of terrorism.

The NHS ransom shows the problems with GCHQ's approach to hacking and vulnerabilities, and this must be made clear to MPs who have given them sweeping powers in the IP Act that could result in the same problems recurring in the future.

Here are four points that stand out to us. These issues of oversight relating to hacking capabilities are barely examined in the Investigatory Powers Act , which concentrates oversight and warrantry on the balance to be struck in targeting a particular person or group, rather than the risks surrounding the capabilities being developed.

GCHQ and the NSA knew about the problem years ago

Vulnerabilities, as we know from the Snowden documents, are shared between the NSA and GCHQ, as are the tools built that exploit them. These tools are then used to hack into computer equipment, as a stepping stone to getting to other data. These break ins are at all kinds of companies, sites and groups, who may be entirely innocent, but useful to the security agencies to get closer to their actual targets.

In this case, the exploit, called ETERNALBLUE was leaked after a break in this April. It affects Windows XP. It has now been exploited by criminals to ransom organisations still running this software.

While GCHQ cannot be blamed for the NHS's reliance on out of date software, the decision that the NSA and GCHQ have made in keeping this vulnerability secret, rather than trying to get it fixed, means they have a significant share of the blame for the current NHS ransom.

GCHQ are in charge of hacking us and protecting us from hackers

GCHQ are normally responsible for 'offensive' operations, or hacking and breaking into other networks. They also have a 'defensive' role, at the National Cyber Security Centre , which is meant to help organisations like the NHS keep their systems safe from these kinds of breakdown.

GCHQ are therefore forced to trade off their use of secret hacking exploits against the risks these exploits pose to organisations like the NHS.

They have a tremendous conflict of interest, which in ORG's view, ought to be resolved by moving the UK defensive role out of GCHQ's hands.

Government also needs to have a robust means of assessing the risks that GCHQ's use of vulnerabilities might pose to the rest of us. At the moment, ministers can only turn to GCHQ to ask about the risks, and we assume the same is true in practice of oversight bodies and future Surveillance Commissioners. The obvious way to improve this and get more independent advice is to split National Cyber Security Centre from GCHQ.

GCHQ's National Cyber Security Centre had no back up plan

We also need to condemn the lack of action from NCSC and others once the exploit was known to be "lost" this April. Hoarding vulnerabilities is of course inherently dangerous, but then apparently not having a plan to execute when they are lost is inexcusable. This is especially true given that this vulnerability is obviously capable of being used by self-spreading malware.

GCHQ are not getting the balance between offence and defence right

The bulk of GCHQ's resources go into offensive capabilities, including hoarding data, analytics and developing hacking methods. There needs to be serious analysis to see whether this is really producing the right results. This imbalance is likely to remain the case while GCHQ is in charge of both offence and defence, who will always prioritise offence. Offence has also been emphasised by politicians who feel pressure to defend against terrorism, whatever the cost. Defence--such as ensuring critical national infrastructure like the NHS is protected -- is the poor relation of offensive capabilities. Perhaps the NHS ransom is the result.