Category

News

Council of Europe publishes guidlelines for Internet intermediaries

By | International, News

The Council of Europe has published a Recommendation to Member States on the roles and responsibilities of Internet intermediaries. The Recommendation declares that access to the Internet is a precondition for the ability effectively to exercise fundamental human rights, and seeks to protect users by calling for greater transparency, fairness and due process when interfering with content. The Recommendation also calls for greater respect for user privacy.

The Recommendations’ key provisions aimed at governments include:

  • Public authorities should only make “requests, demands or other actions
    addressed to internet intermediaries that  interferes with human rights and fundamental freedoms” when prescribed by law. This means they should therefore avoid asking intermediaries to remove content under their terms of service or to make their terms of service more restrictive.
  • Legislation giving powers to public authorities to interfere with Internet content should clearly define the scope of those powers and available discretion, to protect against arbitrary application.
  • When internet intermediaries restrict access to third-party content based on a State order, State  authorities should ensure that effective redress mechanisms are made available and adhere to applicable  procedural safeguards.
  • When intermediaries remove content based on their own terms and conditions of  service, this should not be considered a form of control that makes them liable for the third-party content for  which they provide access. 
  • Member States should consider introducing laws to prevent vexatious lawsuits designed to suppress users free expression, whether by targeting the user or the intermediary. In the US, these are known as “anti-SLAPP laws“.

The Recomendations’ provisions aimed at service providers include:

  • A “plain language” requirement for terms of service.
  • A call to include outside stakeholders in the process of drafting terms of service.
  • Transparency on how restrictions on content are applied, when, and detailed information on how algorithmic and automated means are used.
  • Transparency reporting
  • Effective remedies and complaints mechanisms for users who wish to dispute restriction of their service or content. “all remedies should allow for an impartial and independent  review of the alleged violation [of users’ rights to expression]. These should – depending on the violation in question – result in inquiry, explanation, reply, correction, apology, deletion, reconnection or compensation”.

The Council of Europe is an intergovernmental body entirely separate from the European Union. With 47 member states, it seeks to promote democracy, human rights and the rule of law, including by monitoring adherence to the rulings of the European Court of Human Rights. Its Recommendations are not legally binding on Member States, but are very influential in the development of national policy and of the policy and law of the European Union.

ICANN protects .home, .mail and .corp from registration

By | DNS, Internet Governance, News

ICANN has announced that it will not delegate new top-level domains .home, mail and .corp, effectively turning these domains into reserved strings. The move acts to protect organisations that already use these domains to indicate IT resources on their own local network.

These three domains have been found to have been widely used by organisations for internal use, even though they are not available from ICANN.Numerous representations have been made to ICANN that delegating these domains would cause “string collision”, including by ICANN’s own Security and Stability Advisory Committee. String collision occurs when the same domain is used by different parties, recognised by different DNS resolver trees, meaning that the user may not be directed to the resource they expect. This can pose a risk of phishing fraud. String collision is normally considered a risk of a split DNS root (i.e. someone trying to usurp ICANN’s job), but can also occur when individual organisations make “private” use of an unregistered domain on their own network.

For example, if .corp were available for registrations then someone that registered fileserver.corp might receive traffic that users expected to go to a fileserver on their own corporate network – a clear security risk. By preventing these top level domains being delegated, ICANN has removed that threat from corporate networks already making use of them.

Government conclusions on NIS implementation

By | News, Security

The UK Department for Digital, Culture, Media & Sport (DCMS) has published its response to the replies it received to last year’s public consultation on implementation of the Network Information Security Directive (NIS-D). Finding broad support from responders for its proposed approach, it intends to press ahead largely unchanged, but with altered thresholds and adjustments to the penalty regime.

In regard to Internet Exchange Points, the government has dropped port capacity as the criterion for identifying essential services; any particular threshold would quickly have become out of date. Instead, the qualifying criteria will be based market share and routing table coverage. An IXP operator will qualify as an essential service if it has:

  • “50% or more annual market share amongst UK IXP Operators in terms of interconnected autonomous systems”, or if it
  •  “offer[s] interconnectivity to 50% or more of Global Internet routes”

The thresholds for DNS providers have also been changed

  • Operators of TLD registries will qualify as operators of essential services if they service an average of 2 billion queries or more per day (threshold unchanged);
  • Operators of DNS resolvers will qualify as operators of essential services if they service an average of 2 million DNS clients per day (changed from 60 million DNS queries per day). Moreover, only resolvers for publicly accessibly services will count, which may exclude some public and academic sector operators.
  • Additionally, operators of authoritative DNS hosting will also be brought into scope of NIS-D, for operators who host 250,000 domain names or more, again for public services.

The penalty regime has been simplified as a straightforward maximum fine of £17 million. This replaces a two-tier structure of up to €20 million or 4% of global turnover for failure to implement appropriate security measures, and €10million or 2% of global turnover for other offences. For many, but not all, of the affected businesses this will be a reduction in their exposure.

Another change is that incident reporting will be viewed as a compliance operation, for the operator to register the existence of a security incident with the regulator, separate from incident response. This is intended to protect the existing co-operative relationship operators have with the National Cyber Security Centre and other government protective services.

The government has also made adjustments to the draft “high level security principles” with which operators will be required to comply, in some cases so as to make the expectation more specifically require a good outcome, rather than merely a good process.

The government has confirmed that it will proceed with the approach of using sector-specific regulators as the regulator for NIS-D, resulting in having multiple “Competent Authorities”. This was broadly welcomed by affected businesses. Accordingly, the NIS-D regulator for Digitial infrastructure (IXPs and DNS providers) will be Ofcom.

ECJ to rule on whether Facebook must actively seek out hate speech

By | Content Issues, News

The Austrian Supreme Court has asked the European Court of Justice to rule on whether Facebook should actively search for hate speech posted by users.  The original lawsuit against Facebook was filed by Eva Glawischnig, the former leader of the Austrian Green Party, in 2016, after Facebook refused to take down what she claimed were defamatory postings about her.

Last year, an Austrian appeals court ruled in favour of Glawischnig, ordering Facebook to remove the hate speech postings – both the original posts and any verbatim repostings of the same comments – not just in Austria but worldwide. The Austrian Supreme Court has asked the ECJ to look at two issues: 1. Whether Facebook needs to actively look for similar posts, instead of just reposts, and 2. Whether such content needs to be removed globally.

The case comes amidst concerted pressure in Europe for social media platforms to do more to tackle hate speech. A new hate speech law in Germany, known as the network enforcement act, requires companies to remove or block criminal content within 24 hours, or seven days for complex cases, of it being reported. The law has already attracted controversy, despite only being actively enforced since 1 January 2018, after Twitter deleted a post by the German justice minister, Heiko Maas, dating back to 2010 before he was appointed to the role, calling a fellow politician “an idiot”. Twitter has also deleted anti-Muslim and anti-migrant posts by the far-right Alternative for Germany (AfD) party and blocked a satirical magazine’s account after it parodied the AfD’s anti-Muslim comments. The German Government has said that an evaluation will be carried out within six months to examine how well the new law is working.

Meanwhile, the European Commission has kept up the pressure on tech companies calling for them “to step up and speed up their efforts to tackle these threats quickly and comprehensively” and reiterating that it would “if necessary, propose legislation to complement the existing regulatory framework.”

UK Government to set up new unit to tackle fake news

By | Content Issues, News

The UK government has announced that it will set up a new unit to counter “fake news” and disinformation. The government said that the “dedicated national security communications unit”, which is already being dubbed the “Ministry of Truth”, would be charged with “combating disinformation by state actors and others”. As yet, there is no further information on where the unit will be based or who will staff it.

The Digital, Culture, Media and Sport Committee is currently carrying out an inquiry into “fake news” and has requested information from Facebook and Twitter including on Russian activity during the EU referendum campaign.

IPO launches copyright lessons for seven-year olds

By | Content Issues, News

The UK’s Intellectual Property Office (IPO) has launched a new campaign to teach children about online copyright infringement. In a bid to make intellectual property “fun”, the IPO has produced a range of teaching materials for seven- to 11-year-olds, which centres on a series of cartoons following the adventures of Nancy and the Meerkats.

According to the BBC:

The five-minute cartoons tell the story of would-be pop star Nancy, a French bulldog, who battles her ideas-stealing, feline nemesis, Kitty Perry, and teaches friends, including Justin Beaver and a rather dim Welsh sheep called Ed Shearling, about the importance of choosing an original band name and registering it as a trademark.

The IPO, which believes learning to “respect” copyrights and trademarks is a “key life skill”, is spending £20,000 on the campaign, which is part-funded by the UK music industry.

UK to tighten takeover rules to protect national security

By | News, Security
The UK Department for Business, Energy and Industrial Strategy (BEIS) has published a Green Paper with plans to bolster government powers to intervene in corporate mergers and takeovers involving high-tech goods and services to protect national security, and is consulting on what other powers it might need.
In the short term, the government will reduce the turnover threshold that limits its existing powers to intervene in corporate takeovers. At the moment, the Competition and Markets Authority powers only apply to takeovers where the target company has a turnover of at least £70m per year. For companies producing goods and services for military use, or “dual-use” technologies that can be used for military purposes, this is to be reduced to cover any company with a turnover in excess of £1 million. It will also reduce the takeover threshold to £1million turnover per annum for companies involved in the creation, design or support of “multi-purpose computing hardware” and quantum-based technology.
 
In the longer term, the government is looking at a range of options, including

  • extending existing powers to intervene in corporate takeovers, so that they would also apply to new projects, the acquisition of land near sensitive locations, and the sale of “bare assets” (e.g. equipment, intellectual property, or divisions of a business) not involving the sale of the entire company; and
  • creating a mandatory obligation on companies to notify the Competition and Markets Authority when they are targetted for takeover.

The deadline for commenting on the changes to takeover thresholds is 14th November 2017, and for the longer term reforms is 9th January 2018.

UK Government publishes Internet Safety green paper

By | Content Issues, Malware and DOS attacks, News

The UK Government has announced proposals for a voluntary levy on Internet companies “to raise awareness and counter internet harms”. The government has said that the levy would target issues such as cyberbullying, online abuse and children being exposed to pornography on the Internet.

The levy is one of a series of measures proposed in the Internet Safety Green Paper, which is the result of a consultation launched in February. The other measures include:

·       A new social media code of practice to require more intervention by social media companies against allegedly bullying, intimidating or humiliating content

·       An annual Internet safety transparency report, to help government track how fast social media companies remove material that has been the subject of a complaint

·       Demands for tech and digital startups to “think safety first” – prioritising features to facilitate complaints content removal as functionality that must be into apps and products from the very start

All the measures will be voluntary although the government has not ruled out legislating if companies refuse to take part. In remarks that will be of concern to Internet companies, the Culture Secretary Karen Bradley hinted that the government could change the legal status of social media companies, to deem them publishers rather than platforms, which could mean even greater regulation of their users’ content.

“Legally they are mere conduits but we are looking at their role and their responsibilities and we are looking at what their status should be. They are not legally publishers at this stage but we are looking at these issues,” she said.

The consultation will close on 7 December, and the government expects to respond in early 2018.

Amber Rudd focusses on Internet in conference speech

By | Content Issues, News
Home Secretary Amber Rudd focussed on Internet policy issues in her speech to the Conservative Party Conference in Manchester. The Home Secretary reiterated her demands for Internet platforms to do more to combat terrorism and child abuse.
Rudd announced plans to tighten terrorism laws to criminalise merely viewing terrorist content, as opposed to keeping a copy found on the Internet, as well as new legislation to criminalise publishing information about the police or armed forces for the purposes of preparing an action of terrorism.Internet companies, however, will be most directly concerned with the Home Secretaries demands directly of them.

“But it is not just Government who has a role here. In the aftermath of the Westminster Bridge attack, I called the internet companies together. Companies like Facebook, Google, Twitter and Microsoft. I asked them what they could do, to go further and faster.

They answered by forming an international forum to counter terrorism. This is good progress, and I attended their inaugural meeting in the West Coast.

These companies have transformed our lives in recent years with advances in technology.

Now I address them directly. I call on you with urgency, to bring forward technology solutions to rid your platforms of this vile terrorist material that plays such a key role in radicalisation.

Act now. Honour your moral obligations.”

— Home Secretary Amber Rudd

The Home Secretary announced that the government would be funding Project Arachnid, web-crawler software developed by the Canadian child protection Cybertipline, designed to search out child abuse imagery online.

“It is software that crawls, spider-like across the web, identifying images of child sexual abuse, and getting them taken down, at an unprecedented rate.

Our investment will also enable internet companies to proactively search for, and destroy, illegal images in their systems. We want them to start using it as soon as they can.

Our question to them will be ‘if not, why not’. And I will demand very clear answers.”

— Amber Rudd

Rudd also doubled down on previous attacks on end-to-end encryption in person-to-person messaging software

“But we also know that end to end encryption services like Whatsapp, are being used by paedophiles. I do not accept it is right that companies should allow them and other criminals to operate beyond the reach of law enforcement.”

— Amber Rudd

Speaking earlier at a conference fringe event, she hit back at critics who accuse her of fighting a war against mathematics, saying

“I don’t need to understand how encrpytion works”,

— Amber Rudd

And accusing tech experts of “patronising” and “sneering” at politicians who want to regulate technology.

Websites discovered using their users’ computers to mine cryptocurrency

By | General, News

Two websites have been discovered to be using their users’ computers and phones to mine cryptocurrency without their consent in a bid to compensate for the continuing collapse in online advertising revenues.

The two sites, BitTorrent search engine, The Pirate Bay, and US video streaming service, Showtime, have now both removed the mining code from their sites after users noticed its existence. The Pirate Bay admitted the practice in mid-September posting that the code was “just a test” and that it was carried out with a view to removing all adverts from the site. Showtime has yet to answer questions about why it was using the code.

The practice is controversial, and has been compared to running malware on user’s computers, as it slows down user’s machines and can also drain their batteries or greatly increase their electricity bills. Meanwhile, the user receives no benefit as all the revenue generated by the mining is collected by the website. The question is whether users will see this as an acceptable trade-off if sites begin to use it as an alternative solution to online ads.