Category

News

DCMS publishes consultation on NIS Directive for Digital Service Providers

By | News, Security

The Department for Digital, Culture, Media and Sport (DCMS) has published a targeted consultation to seek views on how the Government intends to implement the Network and Information Systems (NIS) Directive in relation to Digital Service Providers (DSPs) in the UK. This follows the publication of the Implementing Act for DSPs by the European Commission in January 2018.

The Government states that the UK will define DSPs in the same way as set out in the Directive, which means that DSPs will encompass “online marketplaces”, “online search engines”, and “cloud computing services”.

As the Government has previously stated, the Information Commissioner’s Office (the ICO) will be responsible for regulating DSPs in the UK in the context of the NIS Directive. As part of this role, the ICO will produce guidance to help DSPs establish whether they are in scope of the Directive. The consultation states that the ICO will also, after 10 May 2018 when the Directive comes into force, “establish a system in order for UK DSPs to register themselves with the ICO.” The Government states that this system “is necessary in order for the ICO to know who is required to meet the requirements of the Directive and who they need to regulate”, and that it is considering making registration mandatory.

The ICO will also publish guidance to ensure that DSPs understand their obligations under the Directive. This guidance will take into account the Technical Guidelines for the implementation of minimum security measures for Digital Service Providers published by the European Network and Information Systems Agency (ENISA) in 2017. This, according to the Government, will ensure that there is a consistent approach across Europe.

The ICO, along with the other relevant regulatory authorities, will have the power to recover the costs of regulating the NIS Directive. In this context, the Government expects that the ICO, in line with common practice in other regulations such as the GDPR, will levy an annual fee on DSPs, in addition to recovering direct costs involved in any regulatory investigations. The consultation states that the amount of this fee has not yet been determined and will be published by the ICO in due course.

The closing date for responses to the consultation is 29 April 2018.

Malaysian penalty for “fake news”: 10 years in jail

By | Content Issues, International, News

The Malaysian government has brought forward a bill in Parliament that sets the penalty for publishing so-called “fake news” online with up to ten years in jail plus a fine of 500,000 MYR (about £90,000), Reuters reports.

Kuala Lumpur, capital of Malaysia

“The proposed Act seeks to safeguard the public against the proliferation of fake news whilst ensuring the right to freedom of speech and expression under the Federal Constitution is respected,” the government said in the bill.

The bill gives a broad definition to fake news, covering  “news, information, data and reports which is or are wholly or partly false”. It seeks to apply the law extra-territorially, to anything published on the Internet provided Malaysia or Malaysians are affected by the article.

“Fake news” has become an increasingly popular target of political attack since Donald Trump popularised the term in his battles with CNN and other major broadcasters. In the UK, a Parliamentary Select Committee recently held their first ever hearings in Washington DC on the subject, summoning social media platforms to be lambasted for failing to suppress allegedly “fake news”. The Prime Minister’s office established a new unit to counter fake news in January.

So far, however, no UK government Minister has suggested jailing people for writing something on the Internet that isn’t right.

Council of Europe publishes guidlelines for Internet intermediaries

By | International, News

The Council of Europe has published a Recommendation to Member States on the roles and responsibilities of Internet intermediaries. The Recommendation declares that access to the Internet is a precondition for the ability effectively to exercise fundamental human rights, and seeks to protect users by calling for greater transparency, fairness and due process when interfering with content. The Recommendation also calls for greater respect for user privacy.

The Recommendations’ key provisions aimed at governments include:

  • Public authorities should only make “requests, demands or other actions
    addressed to internet intermediaries that  interferes with human rights and fundamental freedoms” when prescribed by law. This means they should therefore avoid asking intermediaries to remove content under their terms of service or to make their terms of service more restrictive.
  • Legislation giving powers to public authorities to interfere with Internet content should clearly define the scope of those powers and available discretion, to protect against arbitrary application.
  • When internet intermediaries restrict access to third-party content based on a State order, State  authorities should ensure that effective redress mechanisms are made available and adhere to applicable  procedural safeguards.
  • When intermediaries remove content based on their own terms and conditions of  service, this should not be considered a form of control that makes them liable for the third-party content for  which they provide access. 
  • Member States should consider introducing laws to prevent vexatious lawsuits designed to suppress users free expression, whether by targeting the user or the intermediary. In the US, these are known as “anti-SLAPP laws“.

The Recomendations’ provisions aimed at service providers include:

  • A “plain language” requirement for terms of service.
  • A call to include outside stakeholders in the process of drafting terms of service.
  • Transparency on how restrictions on content are applied, when, and detailed information on how algorithmic and automated means are used.
  • Transparency reporting
  • Effective remedies and complaints mechanisms for users who wish to dispute restriction of their service or content. “all remedies should allow for an impartial and independent  review of the alleged violation [of users’ rights to expression]. These should – depending on the violation in question – result in inquiry, explanation, reply, correction, apology, deletion, reconnection or compensation”.

The Council of Europe is an intergovernmental body entirely separate from the European Union. With 47 member states, it seeks to promote democracy, human rights and the rule of law, including by monitoring adherence to the rulings of the European Court of Human Rights. Its Recommendations are not legally binding on Member States, but are very influential in the development of national policy and of the policy and law of the European Union.

ICANN protects .home, .mail and .corp from registration

By | DNS, Internet Governance, News

ICANN has announced that it will not delegate new top-level domains .home, mail and .corp, effectively turning these domains into reserved strings. The move acts to protect organisations that already use these domains to indicate IT resources on their own local network.

These three domains have been found to have been widely used by organisations for internal use, even though they are not available from ICANN.Numerous representations have been made to ICANN that delegating these domains would cause “string collision”, including by ICANN’s own Security and Stability Advisory Committee. String collision occurs when the same domain is used by different parties, recognised by different DNS resolver trees, meaning that the user may not be directed to the resource they expect. This can pose a risk of phishing fraud. String collision is normally considered a risk of a split DNS root (i.e. someone trying to usurp ICANN’s job), but can also occur when individual organisations make “private” use of an unregistered domain on their own network.

For example, if .corp were available for registrations then someone that registered fileserver.corp might receive traffic that users expected to go to a fileserver on their own corporate network – a clear security risk. By preventing these top level domains being delegated, ICANN has removed that threat from corporate networks already making use of them.

Government conclusions on NIS implementation

By | News, Security

The UK Department for Digital, Culture, Media & Sport (DCMS) has published its response to the replies it received to last year’s public consultation on implementation of the Network Information Security Directive (NIS-D). Finding broad support from responders for its proposed approach, it intends to press ahead largely unchanged, but with altered thresholds and adjustments to the penalty regime.

In regard to Internet Exchange Points, the government has dropped port capacity as the criterion for identifying essential services; any particular threshold would quickly have become out of date. Instead, the qualifying criteria will be based market share and routing table coverage. An IXP operator will qualify as an essential service if it has:

  • “50% or more annual market share amongst UK IXP Operators in terms of interconnected autonomous systems”, or if it
  •  “offer[s] interconnectivity to 50% or more of Global Internet routes”

The thresholds for DNS providers have also been changed

  • Operators of TLD registries will qualify as operators of essential services if they service an average of 2 billion queries or more per day (threshold unchanged);
  • Operators of DNS resolvers will qualify as operators of essential services if they service an average of 2 million DNS clients per day (changed from 60 million DNS queries per day). Moreover, only resolvers for publicly accessibly services will count, which may exclude some public and academic sector operators.
  • Additionally, operators of authoritative DNS hosting will also be brought into scope of NIS-D, for operators who host 250,000 domain names or more, again for public services.

The penalty regime has been simplified as a straightforward maximum fine of £17 million. This replaces a two-tier structure of up to €20 million or 4% of global turnover for failure to implement appropriate security measures, and €10million or 2% of global turnover for other offences. For many, but not all, of the affected businesses this will be a reduction in their exposure.

Another change is that incident reporting will be viewed as a compliance operation, for the operator to register the existence of a security incident with the regulator, separate from incident response. This is intended to protect the existing co-operative relationship operators have with the National Cyber Security Centre and other government protective services.

The government has also made adjustments to the draft “high level security principles” with which operators will be required to comply, in some cases so as to make the expectation more specifically require a good outcome, rather than merely a good process.

The government has confirmed that it will proceed with the approach of using sector-specific regulators as the regulator for NIS-D, resulting in having multiple “Competent Authorities”. This was broadly welcomed by affected businesses. Accordingly, the NIS-D regulator for Digitial infrastructure (IXPs and DNS providers) will be Ofcom.

ECJ to rule on whether Facebook must actively seek out hate speech

By | Content Issues, News

The Austrian Supreme Court has asked the European Court of Justice to rule on whether Facebook should actively search for hate speech posted by users.  The original lawsuit against Facebook was filed by Eva Glawischnig, the former leader of the Austrian Green Party, in 2016, after Facebook refused to take down what she claimed were defamatory postings about her.

Last year, an Austrian appeals court ruled in favour of Glawischnig, ordering Facebook to remove the hate speech postings – both the original posts and any verbatim repostings of the same comments – not just in Austria but worldwide. The Austrian Supreme Court has asked the ECJ to look at two issues: 1. Whether Facebook needs to actively look for similar posts, instead of just reposts, and 2. Whether such content needs to be removed globally.

The case comes amidst concerted pressure in Europe for social media platforms to do more to tackle hate speech. A new hate speech law in Germany, known as the network enforcement act, requires companies to remove or block criminal content within 24 hours, or seven days for complex cases, of it being reported. The law has already attracted controversy, despite only being actively enforced since 1 January 2018, after Twitter deleted a post by the German justice minister, Heiko Maas, dating back to 2010 before he was appointed to the role, calling a fellow politician “an idiot”. Twitter has also deleted anti-Muslim and anti-migrant posts by the far-right Alternative for Germany (AfD) party and blocked a satirical magazine’s account after it parodied the AfD’s anti-Muslim comments. The German Government has said that an evaluation will be carried out within six months to examine how well the new law is working.

Meanwhile, the European Commission has kept up the pressure on tech companies calling for them “to step up and speed up their efforts to tackle these threats quickly and comprehensively” and reiterating that it would “if necessary, propose legislation to complement the existing regulatory framework.”

UK Government to set up new unit to tackle fake news

By | Content Issues, News

The UK government has announced that it will set up a new unit to counter “fake news” and disinformation. The government said that the “dedicated national security communications unit”, which is already being dubbed the “Ministry of Truth”, would be charged with “combating disinformation by state actors and others”. As yet, there is no further information on where the unit will be based or who will staff it.

The Digital, Culture, Media and Sport Committee is currently carrying out an inquiry into “fake news” and has requested information from Facebook and Twitter including on Russian activity during the EU referendum campaign.

IPO launches copyright lessons for seven-year olds

By | Content Issues, News

The UK’s Intellectual Property Office (IPO) has launched a new campaign to teach children about online copyright infringement. In a bid to make intellectual property “fun”, the IPO has produced a range of teaching materials for seven- to 11-year-olds, which centres on a series of cartoons following the adventures of Nancy and the Meerkats.

According to the BBC:

The five-minute cartoons tell the story of would-be pop star Nancy, a French bulldog, who battles her ideas-stealing, feline nemesis, Kitty Perry, and teaches friends, including Justin Beaver and a rather dim Welsh sheep called Ed Shearling, about the importance of choosing an original band name and registering it as a trademark.

The IPO, which believes learning to “respect” copyrights and trademarks is a “key life skill”, is spending £20,000 on the campaign, which is part-funded by the UK music industry.

UK to tighten takeover rules to protect national security

By | News, Security
The UK Department for Business, Energy and Industrial Strategy (BEIS) has published a Green Paper with plans to bolster government powers to intervene in corporate mergers and takeovers involving high-tech goods and services to protect national security, and is consulting on what other powers it might need.
In the short term, the government will reduce the turnover threshold that limits its existing powers to intervene in corporate takeovers. At the moment, the Competition and Markets Authority powers only apply to takeovers where the target company has a turnover of at least £70m per year. For companies producing goods and services for military use, or “dual-use” technologies that can be used for military purposes, this is to be reduced to cover any company with a turnover in excess of £1 million. It will also reduce the takeover threshold to £1million turnover per annum for companies involved in the creation, design or support of “multi-purpose computing hardware” and quantum-based technology.
 
In the longer term, the government is looking at a range of options, including

  • extending existing powers to intervene in corporate takeovers, so that they would also apply to new projects, the acquisition of land near sensitive locations, and the sale of “bare assets” (e.g. equipment, intellectual property, or divisions of a business) not involving the sale of the entire company; and
  • creating a mandatory obligation on companies to notify the Competition and Markets Authority when they are targetted for takeover.

The deadline for commenting on the changes to takeover thresholds is 14th November 2017, and for the longer term reforms is 9th January 2018.

UK Government publishes Internet Safety green paper

By | Content Issues, Malware and DOS attacks, News

The UK Government has announced proposals for a voluntary levy on Internet companies “to raise awareness and counter internet harms”. The government has said that the levy would target issues such as cyberbullying, online abuse and children being exposed to pornography on the Internet.

The levy is one of a series of measures proposed in the Internet Safety Green Paper, which is the result of a consultation launched in February. The other measures include:

·       A new social media code of practice to require more intervention by social media companies against allegedly bullying, intimidating or humiliating content

·       An annual Internet safety transparency report, to help government track how fast social media companies remove material that has been the subject of a complaint

·       Demands for tech and digital startups to “think safety first” – prioritising features to facilitate complaints content removal as functionality that must be into apps and products from the very start

All the measures will be voluntary although the government has not ruled out legislating if companies refuse to take part. In remarks that will be of concern to Internet companies, the Culture Secretary Karen Bradley hinted that the government could change the legal status of social media companies, to deem them publishers rather than platforms, which could mean even greater regulation of their users’ content.

“Legally they are mere conduits but we are looking at their role and their responsibilities and we are looking at what their status should be. They are not legally publishers at this stage but we are looking at these issues,” she said.

The consultation will close on 7 December, and the government expects to respond in early 2018.