To ask Her Majesty’s Government whether clause 217 of the Investigatory Powers Bill will give them the power to force a company to break its own encryption in a similar manner to the United States Federal Bureau of Investigation’s abandoned attempt to make Apple break the security of an iPhone.
My Lords, the Investigatory Powers Bill maintains and clarifies existing powers to ensure that terrorists and criminals cannot use technology to escape justice. The Bill provides our law enforcement and security and intelligence agencies with the ability to require communications service providers to remove encryption that they have applied themselves in tightly defined circumstances where it is reasonably practicable to do so.
My Lords, Clause 217 of the Investigatory Powers Bill gives the Government almost unlimited powers to force, in secret, companies to remove “electronic protection” from their products. How do the Government intend to use this power in the increasingly frequent cases where a company has designed the security of its products so that even the company itself is incapable of unlocking the equipment or decrypting the data? Will Apple and others be required to redesign their products so that they can break into them, or will they be required to stop selling them in the UK?
With respect to the noble Lord, Clause 217 does not provide anyone with unlimited powers with respect to these matters; it deals with technical capability notices—a notice which is given after discussion with the Technical Advisory Board to a company requiring it to retain the ability to decrypt information if and when an appropriate warrant is served pursuant to Clause 36 of the Bill. Therefore, it applies only to the extent that it is reasonably practicable for the company to comply. The relevant tests are clear in the Bill, as the noble Lord may recall, as he sat on the Joint Committee that considered the Bill between November 2015 and February 2016.
My Lords, will the Minister explain Clause 217 a little more clearly? It suggests that a warrant might be sent overseas from the UK. Does the opposite apply as well—that UK tech companies might get an overseas request to break encryption, with which they have to comply?
I am obliged to the noble Baroness. Let me be clear: Clause 217 is not concerned with warrants but with technical capability notices. They precede any question of a warrant. A warrant or a notice would proceed under a different part of the Bill. I do not want to elaborate on this because the Bill will be before this House in the very near future, at which time these details can be considered. However, to pick up on the noble Baroness’s last point, on companies that are overseas but have a presence here and provide services here, the warrant does extend to those companies. With regard to companies overseas, the warrant may be served there. They may have an answer that it is not reasonably practicable to respond because, for example, their own domestic law forbids them doing so. However, the Government have already initiated discussions with the United States of America to come to an agreement on reciprocal enforcement of these relevant and important provisions.
Before scare stories about this Bill start being run, can the Minister confirm that there is no case whatsoever for unlimited powers? One strength of the Bill is that it strengthens the oversight of the security agencies, to give people the confidence that those who are doing the work are being watched, and the watchers are also being watched on behalf of the public in order, therefore, to keep us safe.
I entirely concur with the noble Lord’s observations. The introduction of the double-lock mechanism in the context of the warrant underlines the importance of these developments. When the noble Lord, Lord Rosser, responded to the Statement on the Bill in November last year, he observed that it appeared that, in broad terms, the Bill had struck the difficult balance between public interest and privacy.
My Lords, the part of GCHQ responsible for ensuring the security of our national infrastructure, such as the national grid and our telecommunications network, is very keen on enhancing encryption. Another part of GCHQ wants to weaken encryption, so that it can access confidential information. Can the Minister say which side of GCHQ the Government are on?
It is not necessary to be on either side of the wrong question. The position is simple: encryption is effected by means of an algorithm, which is sometimes called an encryption key. If you sequence an encryption key, you encrypt; if you reverse the process, you decrypt. This Bill will not give any party access to the encryption key, which will be held by the provider.
Would the Minister agree with me when I say that I can find no moral justification for Apple’s refusal to open its own equipment, when it had been used by a dead terrorist?
I note what the noble Lord says, but the Apple case was one of some complexity. The court order that was eventually granted was in fact superseded because a third party came forward and provided the Federal Bureau of Investigation with access to the relevant material. The Apple case of course raised very real questions about the scope of responsibility of communications providers, and that is what this Bill seeks urgently to address. The providers have responsibilities to the public—not just the public to whom they provide their initial services.
My Lords, in support of my noble friend Lord Rooker, I ask the Minister this. In the final analysis, is it not absolutely essential—no matter what the complexities—that we do not allow criminals, terrorists, paedophiles, to exchange data, plan, and swap photographs in an area where there is no possibility of scrutiny by law enforcement agencies? Whatever happens, we must enable ourselves to monitor that, or else we are all less safe.
I entirely concur with the noble Lord. There must be no dark pools in which these criminals and terrorists can operate.
My Lords, the Minister did not like the question that the noble Lord, Lord Paddick, put to him. However, there is a real issue here: if the encryption keys are weakened because the companies concerned know they might be asked to release them under certain properly moderated circumstances, they will also have been weakened for other people who wish to do harm by breaching privacy, intellectual property and so on. What assessment have the Government made of how to mitigate that and to balance those two conflicting objectives?
I note that the noble Lord has associated himself with the noble Lord, Lord Paddick—it will become apparent why I make that connection. There is no question of encryption keys being weakened or of their being made available in response to a warrant. The encryption key will remain wholly in the possession of the provider of the service. The warrant will ask that they apply the encryption key in order to provide the decrypt. There is no weakening of any encryption in these circumstances.