(9 years, 10 months ago)
Lords ChamberMy Lords, I add my congratulations to the noble Lords, Lord Evans of Weardale and Lord Green of Deddington, on their maiden speeches and their thoughtful and insightful interventions on these vital issues of national security. Their experience is timely and we should all express our gratitude to them for serving in this House and bringing their great wealth of knowledge to this debate.
I welcome the opportunity to speak on this most important legislation and start by declaring my interest as the Prime Minister’s adviser on the digital economy. The focus of my remarks today will be on the issue of communications data and, specifically, Part 3 of the Bill, on data retention, which concerns a technical point but one with particular significance to counterterrorism efforts. I come to this discussion after decades of experience in executive roles with the world’s leading global internet and technology companies. In those roles I have witnessed first hand the vital importance of access to communications data to support law enforcement in serious and organised crime investigations as well as matters of national security.
It is important to be clear what we are talking about in Part 3. It is specifically about resolving IP address in order to identify the who, when, where and how of connections or communications. It does not provide for access to what people are saying or what they are sharing. Part 3 provides a simple technical fix to a technical problem of resolving an IP address. However, the value of that data can be pivotal in moving forward investigations. The police can use an IP address to prove or disprove an alibi, identify associations between suspects and tie an individual to a particular location or crime scene. Communications data have played a significant role in every security service counterterrorism operation over the last decade. These include the Oxford and Rochdale child grooming cases, the 2007 Glasgow Airport terror attack, and the Soham murders of Holly Wells and Jessica Chapman, to name but a few. If these data are not retained on reasonable terms, the implications are obvious.
Just last week, at the height of the horrific killings in and around Paris, Andrew Parker, director-general of MI5, spoke of the potential for mass casualty attacks in the UK by ISIL and al-Qaeda terrorists. He said:
“We increasingly face a world in which those who pose a serious threat may be able to operate beyond our reach”,
adding that MI5 will need,
“the right tools, legal powers and the assistance of companies which hold relevant data”.
He also warned that,
“a lack of cooperation from internet companies means that there is a risk of terrorists slipping through the net because MI5 cannot track them”,
and he renewed calls for enhanced access to digital communications.
As your Lordships will be aware, there are currently gaps in communications data capability that have a serious impact on the ability of law enforcement agencies to carry out their functions. One such gap is identified in the internet protocol address resolution in Part 3 of the Bill. The IP address identifies who in the real world was using the IP address at any point in time, or at least which device they were using, such as a mobile phone or a tablet. The IP address will not always tell us—
I apologise for intervening, but the noble Baroness is clearly an expert in these matters. Will she remove my ignorance? There are not enough IP addresses to go round, so you do not have one for every device, certainly not for every PC. So you can identify what device was using the IP address at any particular time, but how do you know who was using the device?
I hope noble Lords will understand if I carry on and then come back to the question, as I think that I may be able to answer it. However, it is a very good question and an important intervention.
The IP address will not always tell us who is operating the device, because the addresses are changed and shared when mobile phones move to connect between different masts, or laptops or tablets come online in the home, used by individuals across various networks. However, the IP address helps us significantly to narrow down the field: it is just one aspect of the information that we need. The communication service providers who issue the IP addresses to identify computers and mobile phones currently do not log which device is used at each address and when. This means that law enforcement agencies cannot work out who is using an IP address at a particular time. This impedes the investigations.
This legislation will amend the Data Retention and Investigatory Powers Act, which this House considered last summer, to enable Government to require that communication service providers, under a data retention notice, retain that data that can be used to link a specific device or individual to an IP address. We are not talking about requiring every single internet start-up to do so. The Government’s approach has always been proportionate and risk based, but without these data it is far harder, if not impossible, to attribute a particular action on the internet to an individual person.
These data will be available only to those public bodies that are entitled to them for lawful purposes where, on a case-by-case basis, this is necessary and proportionate. The value of these data can be clarified in this example: if a server hosting child sexual abuse images were to be seized, IP resolution would allow the police to trace the individuals who accessed the images where the server holds a log of the IP addresses and of the times that they were used.
This legislation asks for only a small addition to the automated systems that already run our nation’s communications infrastructure. The recording of which person uses which address and when is generated in the normal course of operation, and is thus not overly burdensome for these companies. This Bill will require CSPs, subject to reasonable notice, to retain vital data that can help dramatically in our country’s ongoing battle to bring criminals to justice, protect the most vulnerable and keep the United Kingdom safe.
Part 3 of this Bill is not politically controversial. As my noble friend the Minister has already mentioned, the Joint Committee on the Draft Communications Data Bill looked at this issue specifically and concluded that it did not think that IP address resolution raises any particular privacy concerns. These provisions will be limited. They will not enable the retention of weblogs, which, as some noble Lords have said today, become a list of the websites that you visit, for instance. Instead, they will help the appropriate agencies identify which device is the particular network identifier.
IP resolution will help us locate terrorists and criminals, but it is important to understand that it will not help us in every situation. The obligation to store the data in the UK is limited, but the technical action of resolving it must not be so. For instance, IP address resolution applies only to data generated or processed within the UK and not overseas, so it is thus further limited in scope and potential to combat what has become a global challenge. Furthermore, the rise in anonymous and encrypted internet traffic, the use of proxies and the sharing of one public IP address across hundreds if not thousands of devices make it ever harder to locate a specific device on the internet in the UK and abroad. Resolving IP addresses is an important first step, but it is only one part of a much larger problem that continues to morph and requires constant scrutiny, re-evaluation and response. We must remain diligent to stay ahead.
How do we address the wider problem and keep on top of the fast-moving threats that we face online? I believe that a new mode of collaboration between government and industry is needed to ensure a safe, creative and resilient internet from which we can learn, earn our livelihoods and keep in touch with our loved ones. We have done a lot of work in this Government to improve co-operation with internet and communications companies on the removal of terrorist and extremist content from their platforms, and to prohibit their use by those who will do so to distribute propaganda and radicalise our citizens. In its recent report on the brutal murder of Fusilier Lee Rigby, the Intelligence and Security Committee concluded that these companies must do more to fulfil their social responsibilities and help combat the serious threat that we face from terrorism. We must work with these companies to find better ways to alert government to the terrorist and illegal activities that threaten our livelihood.
Part 3 of this Bill is a significant step and one that we must all support, but it alone is not enough. There is no silver bullet. In specific terms, there remains a pressing need to update legislation to ensure that data for new types of internet communications on the ever evolving platforms and products are available in the future, just as data for telephony have been in the past. The Joint Committee on the Draft Communications Data Bill accepted this requirement, subject to the appropriate safeguards. David Anderson QC, the Independent Reviewer of Terrorism Legislation, is conducting a statutory review of these issues at present.
My right honourable friend the Prime Minister has been clear that we will need to return to this matter in the next Parliament. In fact, in light of recent events we must urgently do so. As a matter of general principle, this Bill is an important occasion on which to acknowledge and reflect on the importance of continued co-operation between government and the technology industry to assure the safety of our nation.