(8 years, 3 months ago)
Lords ChamberMy Lords, I shall speak to Amendment 116 in my name and that of my noble friend Lady Hamwee. We also have our names to Amendments 154 and 235 in this group.
These amendments relate to a government commitment not to require telecommunications operators to retain third-party data. On 4 November 2015 in a Statement in the other place, the then Home Secretary said that the Bill,
“will not include powers to force UK companies to capture and retain third party internet traffic from companies based overseas”.—[Official Report, Commons, 4/11/15; col. 969.]
However, Clause 58(5)(c) states:
“An authorisation … may, in particular, require a telecommunications operator who controls or provides a telecommunication system to obtain or disclose data relating to the use of a telecommunications service provided by another telecommunications operator in relation to that system”.
Surely this means third-party data.
Amendment 116 would alter Clause 58(5)(c) to read, “may not require”. The key point here is that telecommunications companies should not be forced to obtain third-party data. The draft code of practice on communications data states at paragraph 2.61:
“A data retention notice can never require a CSP to retain the content of communications or third party data”.
Paragraph 2.66 states:
“A CSP cannot be required to retain third party data as part of an ICR”.
Amendment 154 would add a new subsection to Clause 83(2)—the clause headed “Powers to require retention of certain data”—to make explicit that a retention notice may,
“not require a telecommunications operator to retain any third party data, unless that data is retained by the telecommunications operator for its own business purposes”.
This is to distinguish between communications data that the telecommunications operator may have and being forced to acquire third-party data that it does not have.
Amendment 235 would restrict the definition of communications data in Clause 233(5) so that it relates to the provision of the service by that operator and not a third party. I beg to move Amendment 116.
My Lords, I have added my name to Amendment 154 and will not repeat what has been said about it. It simply asks the Government to make explicit what they have said—namely, that the retention of third-party data will not be required. It would be helpful to make that clear in the Bill.
My Lords, as the noble Lord, Lord Paddick, has explained, these three amendments all deal with the issue of third-party data. Amendment 116 seeks to prevent public authorities from acquiring third-party data, Amendment 154 seeks to put the Government’s commitment not to require retention of third-party data on to the face of the Bill and Amendment 235 seeks to amend the definition of communications data to exclude from it third-party data.
On the acquisition of third-party data, the Bill maintains the existing position under RIPA that public authorities can acquire third-party data where necessary and proportionate to do so. But I want to be clear here—a provider is required to comply with a request for communications data, including a request for third-party data, only where it is reasonably practicable for them to do so. It is absolutely right that, where a communications service provider holds, or is able to obtain, communications data, whether in relation to its own services or those provided by a third party, then the data should be available to public authorities for the statutory purposes in the Bill. Put simply, data that already exist, are already held and which could save a life, convict a criminal, prevent a terrorist attack or provide an alibi, should not be put out of reach of law enforcement based solely on which company it is that holds the information.
Amendment 154 deals with the retention of third-party data. As I am sure the noble Lord knows, this matter was considered in the Commons, where the Government gave a commitment to consider it further. I am grateful to the noble Lord and the noble Baroness for tabling this amendment and giving me an opportunity to update the Committee on those considerations. My right honourable friend the Home Secretary has given a clear commitment that we will not require a telecommunications operator to retain third-party data, and that commitment is given effect to in the Communications Data Draft Code of Practice. However, distilling that commitment into primary legislative drafting is complex. We do not want to include provisions in the Bill that are not entirely clear in scope or which put in place restrictions that are broader, or indeed narrower, than intended. But we have been making good progress and are close to a provision that we think achieves the desired outcome. Of course, we need to test that drafting with operational stakeholders and with those telecommunications operators likely to be affected by the legislation, but we hope to be able to return to this issue on Report.
Finally, on Amendment 235, the principle of what are communications data is clear. Changing that position so that the classification of data changes depending on which provider holds them would no doubt cause confusion among providers as to how the data should be handled. While I understand the concerns around third-party data, and hope that what I have said today lays some of those to rest, amending the definition of communications data is not the right way forward. I invite the noble Lord to withdraw Amendment 116.
My Lords, I shall speak briefly on the amendments on the request filter. Along with internet connection records, the request filter is another power that first appeared in the draft Communications Data Bill and which died along with that ill-fated Bill. The view of the pre-legislative Joint Committee on that Bill, on which I sat, was that,
“the Request Filter introduces new risks, most obviously the temptation to go on ‘fishing expeditions’. New safeguards should be introduced to minimise these risks”.
The request filter was described as,
“essentially a federated database of all UK citizens’ communications data”.
I dare say that the committee would be even more worried when it said that in 2012 if it had seen how this Bill expanded the range of data to which the request filter can be applied. That expansion comes from the proposed introduction of internet connection records, which would reveal every detail of a person’s digital life and a very large part of their life in the real world. The effect of the request filter will be to multiply up the effect of intrusion into those data by allowing public authorities to make complex automated searches across the retained data from all telecoms operators. This has the potential for population profiling and composite fishing trips. It is bulk surveillance without the bulk label.
Use of the request filter would be self-authorised by the public authority without any judicial authorisation at all. The concept that the Government promote for bulk data is that they are passive retained records, which they say sit there unexamined until someone comes to the attention of the authorities. That concept is negated by the request filter. The data become an actively checked resource and are no longer passive. Will the Minister confirm that the request filter is not yet in existence and is not yet being used?
The request filter is a bulk power masquerading as an innocuous safeguard to reduce collateral intrusion. Unless and until the Government come forward with proposals to strictly limit use of the request filter through tighter rules and judicial approval for warrants, as is the case with other bulk powers, Clauses 63, 64 and 65 should not stand part of the Bill.
My Lords, I shall use the opportunity that arises from Amendments 140 and 146A to ask the Minister to clarify whether it really is the case that Clause 2 does not automatically affect every power in the Bill. If this was the case, we would be sympathetic to these amendments, as the privacy objective should be considered before any of the powers are used. My understanding was that Clause 2 was a general provision, which affected everything. Indeed, the letter of the noble Earl, Lord Howe, of 14 July to my noble friend Lord Rosser says, “The new overarching privacy clause sets out the privacy obligations which constrain the use of the powers in the Bill”. Our understanding had been that it covered the whole Bill, so I was slightly bemused by Amendments 140 and 146A—not helped by a briefing received, again very late last night, from the Equality and Human Rights Commission, which only ever sends out its briefings on the very eve of debate. That briefing says that Clause 2 does not cover it all, whereas my understanding was that it did. Perhaps this is the opportunity for one of the Ministers to make clear the situation.
My Lords, I find the amendment moved by the noble Lord, Lord Paddick, difficult to understand. He made the point that the filter arrangement makes the operations of the police easier, but it makes them easier by ensuring that they do not inspect communications data which are not relevant to their purpose. It therefore protects privacy rather than threatens it. The filter is governed by the requirements of the rest of the Bill. It will apply the tests of necessity, proportionality and the protection of privacy. It is a protection of privacy rather than a threat to it.
My Lords, as I said earlier in Committee, it is important that, in assessing any proposal made in the Bill, we strike the balance between the need for it and any possible negative consequences, and whether that may weaken the security of a device, enabling the malign elements, as opposed to benign, to penetrate systems. As I understand it, the purpose of the amendment is to try to ensure that that balance is clear in the Bill. It would place an obligation on those seeking warrants and those considering them to look at whether that balance has been struck and ensure that it has.
It is reasonable for those seeking warrants to demonstrate that they have considered whether there are any negative consequences of the action they are prepared to take, particularly if it leads to a weakening of the general security of a wider system that may mean it is prone to attack from cybercriminals or others accordingly, or that there is likely to be a large amount of collateral damage in other people’s information being made available to the authorities.
I make it clear that I do not think the fact that the information of other people who are not the purpose of a warrant may be compromised is necessarily a reason why we should not proceed with this. It should be balanced with the consequences. For example, I can conceive of circumstances where a warrant might be sought for a machine in an internet café. Clearly, that is because certain individuals are thought to be using it. In any application I would want consideration to be given to what would be done about those other, presumably entirely innocent individuals who might use the same machine.
I am concerned that, as part of the process, there should be consideration of the downsides of a particular application: whether it is weakening the system or interfering with the privacy of other people who are not specifically targeted. If either is the case, there should be clear consideration of what can be done to minimise those risks. The fact that another person is not the subject does not necessarily mean that it should not be proceeded with. It is a matter of proportionality—the benefits that will be gained from the action being taken and whether those are properly considered by those making the application and those considering whether to approve it. For those reasons, the amendment is broadly helpful. I hope that Ministers may be prepared to accept this or something like it to provide that assurance.
My Lords, I added my name to Amendments 159 and 160. Amendment 164 is in my name and that of my noble friend Lord Rosser. Our points are much the same as those made by my noble friend Lord Harris. I do not think there will be planting of evidence, for example. Our concern is much more about the risk to any public cybersecurity system, and we would want that to be taken into account. These amendments follow the recommendations of the Joint Committee. The idea is to minimise any potential risks. If, for example, the Secretary of State has to take into account any risk to the security and integrity of the networks, that by itself will ensure that any applicant sets that out in the form they submit. We hope the Government will respond, as my noble friend Lord Harris said, not necessarily by using these exact words but in the spirit of these amendments in order to retain overall security.
My Lords, Amendments 159 and 160 would introduce new clauses requiring the person making an application for a warrant to make a detailed assessment of the risks of the proposed equipment interference activity to any critical national infrastructure, to the security and integrity of systems and networks, and to the privacy of those not targeted. Amendment 164 is linked to the requirement to produce risk assessments and would require the Secretary of State, when issuing warrants to the Chief of Defence Intelligence, to consider the content of these assessments when deciding whether the activity under the warrant would be proportionate. Amendment 169A would require a judicial commissioner to take into account a technical cyber risk assessment, conducted by the Investigatory Powers Commissioner, of the specific equipment interference proposed when deciding whether to approve a decision to issue a warrant.
I start by making an important general point. It seems these amendments are based on a fundamental misinterpretation of what GCHQ and others are here to do. Their role is to protect the public. That includes protecting cybersecurity. Indeed, the Government have invested very considerable resources into improving our cybersecurity efforts. Last November, the Chancellor announced the creation of a new national cyber centre led by GCHQ, with an additional £190 million of funding.
GCHQ has an excellent track record in identifying cyber vulnerabilities and making leading computer companies aware so they can improve their security. For example, in September 2015, Apple publicly credited CESG, the information assurance arm of GCHQ, with the detection of a vulnerability in its iOS operating system for iPhones and iPads, which could have been exploited to allow the unauthorised modification of software and to extract information from the devices. That vulnerability has now been patched.
I appreciate that the noble Lords’ amendments are intended to introduce safeguards, but I contend that sufficient safeguards are already contained in the Bill. Part 5 already requires the Secretary of State or law enforcement chief to consider whether the proposed conduct is necessary and proportionate before issuing a warrant. The Government have provided even more reassurance since the discussion of these same amendments in the other place. As we have frequently reflected, Clause 2 is a new provision that sets out overarching privacy duties. It includes a requirement to have regard to the public interest in the integrity and security of telecommunication systems. This requirement applies to any decision on whether to issue an equipment interference warrant.
The draft statutory code of practice also sets out, in detail, the factors that must be considered in respect of proportionality. The code states at paragraph 3.27 that one element of proportionality that should be considered is,
“explaining how and why the methods to be adopted will minimise the risk of intrusion on the subject and others”.
It goes on to state at paragraph 3.30:
“Equipment interference activity must therefore be carried out in such a way as to appropriately minimise the risk that the activities of the equipment interference agency would result in any increase of the likelihood or severity of any unauthorised intrusion into the privacy, or risk to the security, of users of equipment or systems, whether or not that equipment is subject to the activities of the equipment interference agency”.
If noble Lords will allow me one last quote, paragraph 3.31 states:
“Any application for an equipment interference warrant should contain an assessment of any risk to the security or integrity of systems or networks that the proposed activity may involve including the steps taken to appropriately minimise such risk … The issuing authority should consider any such assessment when considering whether the proposed activity is proportionate”.
(8 years, 3 months ago)
Lords ChamberMy Lords, I want to address Amendment 48 in a few words. I find myself uncomfortably caught between the issues raised by the Bill as drafted and Amendment 48. I agree very much with the criticism of the Bill that has been articulated by the three noble Lords who have already spoken. The test in the Bill as drafted is subjective, very wide and likely to have some of the undesirable consequences identified by the noble Lords. I also think that the amendment is, curiously, too narrow. As I interpret it, it requires compelling evidence of a criminal purpose.
A long time ago, when I was in the Home Office, I had responsibility for one of the prevention of terrorism Bills which was going through the House of Commons. One of the issues we had to consider in Committee was very similar to the point made by the noble Lord, Lord Carlile. What happens when a lawyer receives, through the legal process of discovery, information which is capable of supporting terrorism? We decided as a matter of principle that that information would not be disclosed to the defending lawyer because of the risk of transmission to the client, who might use it for the purposes of terrorism.
I am therefore concerned that while the Bill as drafted is too broad, the amendment is too narrow. It does not capture the situation when an innocent communicator can communicate to a client, who may be a terrorist, information which that person can use for an act of terrorism. I am glad to hear that this is a probing amendment, which has been accurately advanced, and that the Government are minded to be responsive to the anxieties expressed. I hope that the Minister will keep in mind my own anxiety, that while Amendment 48 has a great deal of merit, it is too narrow, while the Bill as drafted is too broad.
My Lords, I will not dare to try to better the arguments already made in this debate but will only emphasise two things with regard to the amendments to which I have added my name.
The first, which has already been mentioned by the noble Lord, Lord Pannick, is that this so-called privilege is of the utmost importance to clients—the description always sounds as if it is your privilege rather than ours. I speak as the former chair of the Legal Services Consumer Panel, where we represented the interests of those who—often in times of trouble—need the help and advice of a lawyer.
We know that very many people who could do with legal assistance do not go, partly because they do not know that they need it, partly because they do not know how to get it, partly due to cost, but also because it is all a bit too intimidating. It often falls to the lawyer to reassure them not just about the particular case, but that what passes between them will be absolutely confidential and—for example, in the case of a domestic break-up or a child’s custody—will never be revealed to their former partner or others involved, including agencies of the state.
Therefore, this confidential relationship is key to people getting good advice and advocacy and a fair hearing, as well as being key, as we have already heard, to the role of our lawyers and the rule of law. However, we also understand that there will be occasions when some details of this relationship might be caught by powers included in the Bill. We look for some assurance that the maintenance of clients’ confidence is absolutely understood, and that any such occasions will be as limited as we have heard, and only after proper due process.
We look forward to hearing in the Minister’s response the Government’s current thinking and perhaps some indication of what they will be willing to bring forward on Report.
My Lords, I put my name to these amendments. I am grateful to the noble Lord, Lord Pannick, for the clear exposition he has given of the reasons for them, and I have listened to the anecdotal evidence provided by the noble Lord, Lord Carlile.
I think we are all agreed that proper legal professional privilege is vital to the rule of law. It is not a privilege of the legal profession but of the client, as the noble Baroness said. However, the illustrations show that some other factor may be buried in proper legal confidentiality. The example of information being passed on innocently is one such. It was not part of the legal professional privilege conversation but an adjunct to it—“Please pass this on to my girlfriend”. Another possible illustration, which I have discussed with the Minister, is that the location of the client might be mentioned incidentally. Where he happens to be is not crucial to the advice he gets or the information he gives in order to get it, which is, of course, the real reason the conversation is protected.
My Lords, my noble friend Lord Paddick and I have Amendments 86 to 88, 244 and 245 in this group, which takes us to the provision for payment towards compliance costs. Under Clause 222(1):
“The Secretary of State must ensure that arrangements are in force for securing that telecommunications operators and postal operators receive an appropriate contribution in respect of such of their relevant costs as the Secretary of State considers appropriate”.
As I read that, I wonder why it needs to be “an appropriate contribution” and such as the Secretary of State “considers appropriate” of their relevant costs. That is belt, braces and some other form of security.
Amendments 86 to 88 taken together provide for cover for all the operators’ costs, but those costs should be assessed objectively, and I feel quite strongly that the arrangements should be in place before the operational parts of the Bill are in force. The audit provision—the subject of the amendment of the noble Lord, Lord Rosser, and the noble Baroness, Lady Hayter—would remain, as is right.
I feel strongly about this because however much good will there is on both sides, if you do not get an agreement in place before you get on with the next stage of the operation, there is always the danger that you will not satisfy the parties. It is important not to leave the matter open.
There has been a lot of discussion of the quantum. The Minister in the Public Bill Committee said that 100% of the compliance cost will be met by the Government. He clarified that the estimated costing of £174 million—which illustrates why it is important to get the Bill right—
“is not a cap, but an estimate”.—[Official Report, Commons, Investigatory Powers Bill Committee, 3/5/16; col. 632.]
The Science and Technology Committee, reporting on the Bill, recommended:
“The Government should reconsider its reluctance for including in the Bill an explicit commitment that Government will pay the full costs incurred by compliance”.
It is a short point regarding an awful lot of money and potential exposure for the operators, so we are concerned to get the matter pinned down. I beg to move.
My Lords, as was mentioned, Amendment 89 stands in my name and that of my noble friend Lord Rosser. Clause 222(6) contains what is to me the unusual phrase:
“Different levels of contribution may apply for different cases or descriptions of case but the appropriate contribution must never be nil”.
“Must never be nil” is a slightly strange phrase, especially given that someone who, until a few hours ago, was the Home Secretary but is now the Prime Minister said on Second Reading:
“I reiterate … that … 100% of the compliance costs will be met by the Government”.
She was asked to provide a long-term commitment for that and said,
“we are clear about that in the Bill … it is not possible for one Government to bind the hands of any future Government in such areas, but we have been clear about that issue”.—[Official Report, Commons, 15/3/16; col. 821.]
However, being clear about the contribution which must never be nil is not what I call clarity.
Amendment 89 simply takes the then Home Secretary’s words as used in Parliament that the Government would meet 100% of the compliance costs, with full cost recovery for communication service providers, which, after all, have to implement the legislation. It is important to write it into the Bill to ensure that the financial impact of the legislation is transparent, not hidden, and to give forward confidence to those companies, whose activity in this country is already a little wobbly thanks to Brexit, that they will not at some point be hit by unexpected and unavoidable costs.
As was mentioned, Amendment 89 also allows for a proper audit to ensure that operators do not provide unduly high costings. Obviously, they can make no profit from these procedures because they are a departure from normal business, but they need those costs to be met. Cost recovery could be significant, but the Bill does not seem to put any limit on it at present. We will depend on the good will of these companies to make the Bill effective. We should not charge them for their willingness as well.
My Lords, this amendment seeks to ensure that communications service providers are fully reimbursed for their costs in connection with complying with obligations under this Bill, and that arrangements for doing so are in place before the provisions in the Bill come into force. It is, of course, important to recognise that service providers must not be unduly disadvantaged financially for complying with obligations placed upon them. Indeed, the Government have a long history of working with service providers on these matters. We have been absolutely clear that we are committed to cost recovery. I want to reaffirm to the Committee a point that my right honourable friend the Security Minister made very clear in the other place: this Government will reimburse 100% of reasonable costs incurred by communications service providers in relation to the acquisition and retention of communications data. This includes both capital and operational costs, including the costs associated with the retention of internet connection records. I hope that that assurance is helpful.
The key question that this Committee needs to consider is whether it is appropriate for the Government of today to tie the hands of future Governments on this issue. I wonder whether, on reflection, the noble Baroness thinks it right to press for that. That does not mean that we take our commitment lightly or that future Governments will necessarily change course. Indeed, I suggest that it is unlikely ever to be the case; for example, the current policy has not changed since the passage of the Regulation of Investigatory Powers Act 2000 and so has survived Governments of three different colours or combinations of colours.
This Government have been absolutely clear that we practised cost recovery and we have been consistent in our policy for a very long time. Indeed, this Bill adds additional safeguards requiring a data retention notice to set out the level of contribution that applies. This ensures that the provider must be consulted on any changes to the cost model and also means that the provider would be able to seek a review of any variation to the notice which affected the level of contribution. The Government already have arrangements in place for ensuring that providers receive appropriate contribution for their relevant costs without delay, so the amendment that seeks to ensure that they are in place before the provisions come into force is, I suggest, unnecessary. Accordingly, I invite the noble Baroness to withdraw her amendment.
My Lords, I am speaking to Amendments 92, 102 and 103 in my name. These amendments address aspects of two extremely strong powers granted to Ministers by the Bill which are tucked away at the back in Clauses 225 and 226. As we have heard, they are about national security notices and technical capability notices. Although they are not listed as powers under the Bill, they are, in fact, very strong, broad powers.
The national security notices permit, with some caveats, the Secretary of State to instruct the telecommunications operator to do whatever she considers necessary in the interests of national security. Technical capability notices enable, with some caveats, the Secretary of State to instruct an operator to develop or maintain a capability to assist the authorities. Both types of notice must be kept secret by the recipient, if the Secretary of State so wishes. In a recent amendment, the Government added the need for a judicial commissioner to approve both types of notice. This is a welcome step forward, as is the forthcoming repeal of Section 94 of the Telecommunications Act 1984, which has been used in the past to create new powers.
These three amendments address one particular capability specified in Clause 226(5)(c)—the removal of electronic protection. All the experts who gave evidence to the Joint Committee, and with whom I have discussed this matter since, agree that the phrase “removal of electronic protection” must include decryption of encrypted information and/or weakening of encryption in some way. They are deeply alarmed about it.
Encryption is a vital feature of all the financial, commercial and personal activity on the internet. The Government have confirmed on several occasions, including in answer to Questions in this House, that any weakening of our back-door access to encryption would threaten the entire operation of large parts of the digital economy. Once the integrity of cryptosecurity has been compromised for one set of users—in this case the Government—that weakness is available for everyone, including hackers, criminals, terrorists and hostile Governments, to exploit. Furthermore, as my noble friend Lord Paddick has said, UK plc has many successful businesses operating in the field of encryption products. They are very concerned that their clients will shun their products if they suspect that the Government have secretly weakened the security that these products offer. Unless this risk is eliminated from the Bill, they may have to take their companies abroad to avoid their products being tainted by the perceived risk of government damage to the security integrity of their products.
At the end of Second Reading in this House, the Minister, the noble and learned Lord, Lord Keen, stated:
“The provisions of the Bill do not weaken encryption or threaten it. We do not seek what have sometimes been erroneously termed “back doors” into encrypted material. I would seek to dispel any such suggestion”.—[Official Report, 27/6/16; col. 1461.]
These amendments simply seek to give force to that clear assurance by deleting the reference to “removal of electronic protection” and explicitly prohibiting the use of national security notices and technical capability notices for the purpose of “removal of electronic protection”. I commend them to the Committee.
My Lords, Amendment 93 stands in my name and that of my noble friend Lord Rosser and is on the same issue of encryption. Encryption is fundamental to keeping the whole of the digital economy safe and secure. It is widely used by business, government and consumers to protect sensitive and confidential information and as a building block in the advanced security technology which has been described.
The undermining of encryption would not simply mean that the communications of criminals could be read more easily; it would risk creating a major vulnerability in the security infrastructure, which could be exploited by various malicious actors, be they criminal gangs or rogue states. So it is important for this economy and for all the financial and other businesses that depend on it that the foundations of encryption technology remain absolutely firm.
There will be times when state security undoubtedly needs access to encrypted information for a specific investigation. This is not the problem. The problem is whether the Government would ever require a company to engineer such access, enforcing the company to create a model which, if then followed by other nations with perhaps less security than ours, would lead to a lowering of standards. We welcome the statement by the Government that they do not require industry to build back doors into their encrypted products. The Bill as it stands is perhaps not as clear as the commitments the Government have made.
Clause 226 risks making encryption intrinsically weaker if a company could be asked to build the ability to break the encryption. Amendment 93 seeks to address that. We hope the Government will understand that, when the request is made, they should not ask a company to develop a new way of breaking encryption that is not already within its ability. At the moment, the clause implies that, where companies that did not have the ability to remove the protection were issued with a notice, they would be required to build that capability so as to adhere to the notice. That is worrying the companies because of the general undermining of encryption. End-to-end encryption is essential to protect sensitive personal, commercial and security information. I think the Government share our concern that we should maintain that.
The thrust of Amendment 93 makes it explicit that a company would be required to remove the electronic protection only where it had the current capacity to do so and that it should not have to engineer it. We hope it will be accepted by the Government.
My Lords, first, I should draw attention to my interests in the register on policing and counterterrorism matters. Secondly, I should make clear that my starting point on the Bill is that it is important that the developing gaps in access to communications data are addressed to protect the nation against all sorts of threats.
In any set of counterterrorism or counterespionage measures, or whatever else it might be, you have to look at the balance and weigh the benefit to the nation in protecting its citizens by having those powers against the potential downside or consequences of exercising them.
When we come to the question contained in this group of amendments—essentially about enabling or requiring companies to break the apparent encryption—we have to look carefully at the potential downsides presented by this. The first downside, or danger, is that by enabling this to happen—by creating the mechanism and requiring companies, as my noble friend Lady Hayter said, to make new arrangements so that encryption can be broken—you create a back-door mechanism. This would be available not just to the forces of good—those who are trying to protect all our security—but to cybercriminals and those who would do us ill. Therefore you need to weigh clearly what you are trying to do against whether you are creating something that will make it easier for criminals and those who would do us harm.
The second element is the extent to which what we do in this country sets a precedent that will be seized in other countries, whose interests may not be the same as ours or as positive as ours towards their citizenry. If we create that precedent, what is to prevent Governments in other countries saying that they want the same powers and therefore doing the same? That test has to be applied to quite a number of the measures in the Bill. As I say, my starting point is that I want the state to be able to fill the gap in its access to communications data that is emerging and opening up. However, I want to hear from the Government a clear explanation of why in this set of cases the benefits outweigh the potential disbenefits.
It might be, but it might not be. Again, it depends on what is reasonably practicable in the particular circumstances. Those circumstances might vary from provider to provider and from situation to situation, so it is not possible for me to generalise about this, but I will take further advice and write to the noble Lord about it.
My Lords, the Minister spoke about what is possible and reasonable, but the point of our Amendment 93 is that a notice may not impose the requirement to build a facility that would break end-to-end encryption. We may need to return to this on Report, but it would perhaps be useful to have a discussion between now and then about imposing the requirement to build capacity to break end-to-end encryption.
I fear that the Minister is taking himself down a long cul-de-sac here, because the implication of what he is saying is that no one may develop end-to-end encryption. One feature of end-to-end encryption is that the provider cannot break it; encryption is private between the users at both ends. He seems to be implying that providers can use only encryption which can be broken and therefore cannot be end to end, so the next version of the Apple iPhone would in theory become illegal. I think that there is quite a lot of work to be done on this.
(8 years, 3 months ago)
Lords ChamberMy Lords, I would like to raise two points, if I may, about Amendment 66. I entirely agree with the suggestion that the consent should be in writing, and I would rather hope that the Minister will give us some reasons why it should not be, because on the face of it, it is an extremely sensible suggestion. As we all know, there is sometimes a certain degree of opaqueness regarding what people have or have not done. Looking at Clause 42, to which Amendment 66 applies, I have some difficulty in understanding the relationship between subsections (1) and (2). I am not sure why subsection (2) is there, given the language contained within subsection (1). Perhaps my noble friend can help us on that.
My Lords, I wish to speak briefly to Amendment 68, which is in my name and that of my noble friend Lord Rosser. Clause 45(1)(a) permits interception by a Revenue & Customs officer under Section 105 of the Postal Services Act 2000. That is the provision that contains the power to open postal items, so that is clear enough. However, Clause 45(1)(b) permits interceptions by, again, a Revenue & Customs officer under the same Section 105 “and another enactment”. It is the phrase “and another enactment” that I am not quite clear about. If Section 105 is sufficient, why add the words “and another enactment”? If it calls on some other law in order to legitimise this activity, should that not be detailed in the clause? Amendment 68 therefore proposes deleting the second arm—the “and another enactment” bit—unless the Minister can make some sense of it for me.
My Lords, let me turn first to Amendment 19. Clause 4 defines interception. It provides greater clarity in relation to the activity that constitutes interception than is currently the case under the Regulation of Investigatory Powers Act 2000—RIPA—and responds to calls from a number of quarters that such clarity is necessary. “Relevant time” is defined in Clause 4(4) to make clear that the interception offence can be committed at any time while the communication is being transmitted, or while the communication is being stored. Under RIPA, it is an offence to intercept a communication in the course of its transmission by means of a public telecommunications system. There had in the past been some uncertainty as to the scope of the offence; for example, whether a voicemail message stored by a telecommunications system was still in the course of its transmission, and therefore whether to access it without lawful authority would engage the offence of unlawful interception. The revised definition of interception in Clause 4 is intended to make clear that messages stored in or by the telecommunications system are caught within the definition of interception, and therefore cannot be accessed without lawful authority. This puts beyond doubt, for example, that so-called phone hacking constitutes unlawful interception.
If the Bill were amended in the manner suggested, it would, I believe, undermine the strong safeguards that the Bill provides for the protection of private communications. It would cast doubt over whether access to stored communications without lawful authority would engage the criminal offence, and it would be less clear when a public authority required a warrant to intercept communications.
Amendment 66 is not necessary and would be very difficult to implement in practice. Clause 42 simply makes clear that where both parties to a communication have consented to the communication being made available to a third party, this does not constitute unlawful interception. The Bill already requires that consent must be given in such instances for it to be lawful. On the example of a telephone call, plainly it would not be practical to write to an individual seeking their consent before continuing with that call. I hope that the noble Lord will not press that amendment.
I turn to Amendment 68. Clause 45 relates to the power of HM Revenue & Customs to inspect postal items to ensure that contraband or illegal items are not being imported or exported from the country. This clause is vital in countering terrorism and preventing and detecting serious and organised crime. RIPA was amended by the Policing and Crime Act 2009 to put beyond doubt that the protections from interception afforded to postal communications in RIPA did not restrict this vital Revenue & Customs power to check international postal traffic. This clause simply maintains this position. I hope that I have been able to provide some reassurance as to why this provision is necessary.
Could the Minister write on the amendment to Clause 45(1)? I was absolutely not suggesting by the amendment that the right would be lost for Customs & Revenue to intervene—it was about whether it needed to be under both Section 105 and, as it says,
“that section and another enactment”.
It was the clarity of the words “and another enactment” that I was asking about. I would be quite content to have a letter to clarify that point.
My Lords, I shall speak briefly about Amendment 148 in this group, which stands in my name and that of my noble friend Lord Rosser. It deals with what protections there should be for any journalist’s material collected as a result of any of these powers. In the case of material obtained that falls under normal rules of legal privilege, the Bill lays down the care with which such material should be treated under professional privilege. It is particularly important that the material is secured very safely, should anything from a journalist be held. Similarly for lawyers, material should secured very safely, and be seen by the fewest number of people possible. Anything that is not subsequently used in the investigation should be destroyed or returned and certainly not kept. That sort of safeguard should cover any journalist’s material, either under the Bill as it stands or as amended under Amendment 25.
The case has been made as to why it is so important to protect journalists’ sources. It encourages people to come forward to give what might be really important information to an independent source, who can then verify and publish it without the source’s identity being known. Sometimes, however, I have sympathy with people’s identity being known, when they are, for example, selling secrets they should not be to newspapers for large amounts of money. I am sorry that the noble Lord, Lord Black, was not here when we dealt with Amendment 18, as a number of newspapers have failed to work to implement Leveson. In discussion of what might constitute a journalist, perhaps anyone who works for a Leveson-compliant organisation, would be a good way of defining them. This might be the encouragement needed to bring that into being.
Guaranteeing anonymity has and always will be vital to the journalists’ profession, for the sake of those who go to them but also, as has just been mentioned, for the safety of journalists, literally hundreds of whom are killed around the world in the course of their duty. There can be little doubt that should some undesirable person or organisation think that a journalist who they have briefed or who has photographed or filmed them might hand that material over to the state, then that journalist becomes at risk. It is also essential that the use of powers that may affect journalists’ sources of information should be thought of being used only when there are exceptional and compelling reasons.
There will be times when journalists’ material gets scooped up, which is when it needs to be protected. More seriously, where journalists are being asked to hand over film or photographs, we share the desire that they should be fully protected, as outlined by the noble Viscount, Lord Colville. We hope that the Government have continued their discussion with the parties involved and we look forward to hearing an update.
My Lords, this Government have been clear on their continuing commitment to protecting the free press and freedom of expression in this country. In the Commons and at Second Reading, we committed to looking at this issue further and ensuring that the balance of such protections was exactly right. I thank noble Lords for tabling this amendment and giving us the opportunity to continue this important debate. The Government have listened carefully to the debate on these issues so far, and have continued to discuss them with media organisations. I have met journalists and their representatives for a very informative discussion. This engagement has proved extremely useful all round, not least in resolving misunderstandings about the relevant safeguards provided in existing legislation.
In response, the Government tabled amendments in the House of Commons strengthening the protections in the Bill for journalists’ sources. The amendment passed on Report places an extremely strong test in the Bill where a public authority seeks to use communications data to identify or confirm a journalist’s source. This means that a judicial commissioner—that is, a serving or former high court judge—must first consider the public interest in protecting a source of journalistic information and then be satisfied that there is another, overriding public interest before approving an application.
In addition, the Government introduced a new overarching privacy clause which makes it explicit that public authorities exercising functions under the Bill must have regard, for instance, to whether what is sought to be achieved by any authorisation may reasonably be achieved by other less intrusive means. It also requires persons exercising functions under the Bill, including authorising police officers and judicial commissioners, to have regard to the public interest in the protection of privacy as well as numerous other principles that underpin the legislation. These amendments clearly spell out in the Bill some of the protections that journalists seek.
Of course, the Bill proceeds from the widely accepted position, endorsed by the Joint Committee on Human Rights, that,
“review by a judge or other independent and impartial decision-making body”,
is the most significant safeguard required to protect the confidentiality of a journalist’s source. The Bill introduces that safeguard across all warrants. It specifically provides for judicial approval of any authorisation to acquire communications data for the purpose of identifying or confirming a journalist’s source.
Amendment 25 would apply a standard set of protections across the different powers provided for in the Bill. While I commend the intention to strengthen protections, the Government do not consider this blanket approach to be the right one. The powers in the Bill are not the same; they vary both in the material that can be acquired and the level of intrusion that such an acquisition represents. That is why the Bill ensures that additional protections are applied where they are most appropriate, providing for judicial authorisation of the most intrusive powers and mandating the use of less intrusive powers where that is possible. Indeed, journalists have it made clear to me that, uniquely, they consider communications data to be at least as intrusive as content, since they allow a source to be identified. That is exactly why the Government have, also uniquely, provided for judicial authorisation of communications data requests to identify a journalist’s source.
This Government agree—indeed they forcefully advocate—that confidential journalistic material and journalists’ interaction with their sources must be protected, but that does not mean that a journalist should receive blanket protection from legitimate investigation simply because of their chosen profession. The Bill ensures that protections are applied where they are required, that those who commit a crime or pose a threat to national security can be investigated, regardless of their chosen profession, and it does so in a way which is compatible with all our ECHR obligations. I should be clear that the Bill already requires any authorisation to relate to a legitimate ECHR Article 10 aim, as part of the amendment demands.
Extending protections to all,
“activities relating to journalistic information”,
as the amendment seeks to do, brings real practical implications which the Government do not consider appropriate. For example, it is clear that the content of an interview conducted in public should not be subject to the same stringent protections as a dossier of private, undisclosed material passed by a source and held in confidence. That would render meaningless those protections which are appropriately applied to confidential journalistic material.
In addition, the amendment would mean that a journalist suspected of committing a crime could be investigated only in an emergency situation where immediate action was necessary and an order to use the powers in the Bill was obtained from a judge—that is, if the crime had already taken place and there was no immediate danger, the powers could not be used to bring that individual to justice, nor could they be used to prove that individual’s innocence. I suggest that that is the wrong approach, and that is without considering the question, which even the National Union of Journalists has admitted is extremely difficult, of defining who is and who is not a journalist in the digital age.
Finally, on the question of the key decision-maker in this process, the Bill upholds the important principle of judicial involvement. A number of bodies representing the journalist profession have argued that the only way to prevent the powers in the Bill being misused is to allow a journalist to be involved in the judicial commissioner’s decision. The Government do not agree.
Of course, our security and intelligence and law enforcement agencies will in very limited circumstances have a legitimate need to investigate a journalist or their source. Where a journalist is suspected of a crime, it is clearly not appropriate that they should be alerted to the investigation, but there is a fundamental consideration here: these powers are by their very nature covert. Requiring prior notification would undoubtedly undermine the key purpose of the powers, whose use in relation to journalists, we should be clear, is already extremely limited.
Instead, the Bill provides for a robust regime to govern the use of the powers, with a clear role for judicial commissioners in authorising and overseeing their use by public authorities. It also sets out the offences that apply in the event that any of the powers are misused and provides for a world-leading oversight regime, led again by senior and independent judicial figures. The Bill takes a reasoned, balanced approach—the right approach—to protecting the important role of the media in a democratic society. It applies protection where it is needed without unduly hampering our law enforcement and security and intelligence agencies when they truly require the use of the powers. It is on that basis that I invite the noble Viscount to withdraw his amendment.
The noble Lord, Lord Strasburger, asked about protection for whistleblowers. The Joint Committee that was convened to scrutinise the draft Bill recommended that it make it clear that members of the intelligence services can raise concerns about the misuse of investigatory powers with the Investigatory Powers Commissioner without being at risk of prosecution for breaching the Official Secrets Act—that was recommendation 61. The Government included Clause 203—now Clause 212—on the Bill’s introduction to the House of Commons to give effect to the committee’s recommendation. The Bill will allow an individual to provide information on a voluntary basis to the Investigatory Powers Commissioner without that individual committing a criminal offence or incurring civil liability. Of course, any use of these investigatory powers must be for one of the purposes specified in the Bill, such as the prevention or detection of a crime or in the interests of national security. They cannot be used simply to protect any organisation’s reputation.
Amendment 148 would apply protections designed to provide the appropriate safeguards for a specific power to entirely different circumstances. “Exceptional and compelling” is a phrase which relates to a very specific set of circumstances: those in which the Secretary of State is satisfied, and the judicial commissioner agrees, that it is necessary to issue a warrant where the intention is to acquire legally privileged communications. Such circumstances will arise only in a very restricted range of cases, such as where there is a threat to life or limb or in the interests of national security and the interception is reasonably regarded as likely to yield intelligence necessary to counter the threat.
The test which the Government introduced into Clause 73 in the other place relates to the acquiring of communications data to identify or confirm a journalist’s source. It requires the judicial commissioner to have regard to the public interest in protecting journalists’ sources and then to consider, as I explained earlier, that there is another overriding public interest before granting the request. I suggest that that is the appropriate test because it reflects the requirements of freedom of expression under Article 10 of the European Convention on Human Rights.
This amendment also seeks to apply the arrangements provided for in relation to material acquired under an interception warrant to the handling, retention, use and destruction of communications data. While I commend the intention of this element of the amendment, it is unnecessary as equivalent safeguards are already to be found in chapter 11 of the Draft Communications Data Code of Practice. This chapter provides significant detail on the handling arrangements for communications data, placing stringent safeguards around how it is held: for instance, restrictions on who may access the data and for what purposes; when the data may be disclosed; and that when it is no longer necessary or proportionate to hold the data, it must be destroyed. These are strong safeguards which provide the appropriate protections for data.
As I noted earlier, the Bill takes what I would contend to be a reasoned and balanced approach—the right approach—to protecting the important role of the media in our society. I hope that, on that basis, the noble Baroness will not press her amendment.