Online Safety Bill
Baroness Neville-Jones ExcerptsMonday 17th July 2023
(9 months, 2 weeks ago)
Lords ChamberRead Full debate Online Safety Act 2023 View all Online Safety Act 2023 Debates Read Hansard Text Watch Debate Read Debate Ministerial Extracts Amendment Paper: HL Bill 151-V Fifth marshalled list for Report - (17 Jul 2023)
Baroness Neville-Jones (Con)
My Lords, I just want to reinforce what my noble friend Lord Bethell said about the amendments to which I have also put my name: Amendments 237ZA, 266AA and 272E. I was originally of the view that it was enough to give Ofcom the powers to enforce its own rulings. I have been persuaded that, pace my noble friend Lord Grade, the powers that have been given to Ofcom represent such a huge expansion that the likelihood of the regulator doing anything other than those things which it is obliged to do is rather remote. So I come to the conclusion that an obligation is the right way to put these things. I also agree with what has been said about the need to ensure that subsequent action is taken, in relation to a regulated service if it does not follow what Ofcom has set out.
I will also say a word about researchers. They are a resource that already exists. Indeed, there has been quite a lot of pushing, not least by me, on using this resource, first, to update the powers of the Computer Misuse Act, but also to enlarge our understanding of and ability to have information about the operation of online services. So this is a welcome move on the part of the Government, that they see the value of researchers in this context.
My noble friend Lord Moylan made a good point that the terms under which this function is exercised have to have regard to privacy as well as to transparency of operations. This is probably one of the reasons why we have not seen movement on this issue in the Computer Misuse Act and its updating, because it is intrinsically quite a difficult issue. But I believe that it has to be tackled, and I hope very much that the Government will not delay in bringing forward the necessary legislation that will ensure both that researchers are protected in the exercise of this function, which has been one of the issues, and that they are enabled to do something worth while. So I believe the Minister when he says that the Government may need to bring forward extra legislation on this; it is almost certainly the case. I hope very much that there will not be a great gap, so that we do not see this part of the proposals not coming into effect.
Lord Knight of Weymouth (Lab)
My Lords, we have had an important debate on a range of amendments to the Bill. There are some very important and good ones, to which I would say: “Better late than never”. I probably would not say that to Amendment 247A; I would maybe say “better never”, but we will come on to that. It is interesting that some of this has come to light following the debate on and scrutiny of the Digital Markets, Competition and Consumers Bill in another place. That might reinforce the need for post-legislative review of how this Bill, the competition Bill and the data Bill are working together in practice. Maybe we will need another Joint Committee, which will please the noble Lord, Lord Clement-Jones, no end.
There are many government amendments. The terms of service and takedown policy ones have been signed by my noble friend Lord Stevenson, and we support them. There are amendments on requiring information on algorithms in transparency reports; requiring search to put into transparency reports; how policies on illegal content and content that is harmful for children were arrived at; information about search algorithms; and physical access in an audit to view the operations of algorithms and other systems. Like the noble Baroness, Lady Kidron, I very much welcome, in this section anyway, that focus on systems, algorithms and process rather than solely on content.
However, Amendment 247A is problematic in respect of the trigger words, as the noble Lord, Lord Allan, referred to, of remote access and requiring a demonstration gathering real-time data. That raises a number of, as he said, non-trivial questions. I shall relay what some service providers have been saying to me. The Bill already provides Ofcom with equivalent powers under Schedule 12—such as rights of entry and inspection and extensive auditing powers—that could require them to operate any equipment or algorithms to produce information for Ofcom and/or allow Ofcom to observe the functioning of the regulated service. Crucially, safeguards are built into the provisions in Schedule 12 to ensure that Ofcom exercises them only in circumstances where the service provider is thought to be in breach of its duties and/or under a warrant, which has to have judicial approval, yet there appear to be no equivalent safeguards in relation to this power. I wonder whether, as it has come relatively late, that is an oversight that the Minister might want to address at Third Reading.
The policy intent, as I understand it, is to give Ofcom remote access to algorithms to ensure that service providers located out of the jurisdiction are not out of scope of Ofcom’s powers. Could that have been achieved by small drafting amendments to Schedule 12? In that case, the whole set of safeguards that we are concerned about would be in place because, so to speak, they would be in the right place. As drafted, the amendment appears to be an extension of Ofcom’s information-gathering powers that can be exercised as a first step against a service provider or access facility without any evidence that the service is in breach of its obligations or that any kind of enforcement action is necessary, which would be disproportionate and oppressive.
Given the weight of industry concern about the proportionality of these powers and their late addition, I urge the Minister to look at the addition of further safeguards around the use of these powers in the Bill and further clarification on the scope of the amendment as a power of escalation, including that it should be exercised as a measure of last resort, and only in circumstances where a service provider has not complied with its duty under the Bill or where the service provider has refused to comply with a prior information notice.
Amendment 247B is welcome because it gives the Minister the opportunity to tell us now that he wants to reflect on all this before Third Reading, work with us and, if necessary, come back with a tightening of the language and a resolution of these issues. I know his motivation is not to cause a problem late on in the Bill but he has a problem, and if he could reflect on it and come back at Third Reading then that would be helpful.
I welcome the amendments tabled by the noble Lord, Lord Bethell, on researcher access. This is another area where he has gone to great efforts to engage across the House with concerned parties, and we are grateful to him for doing so. Independent research is vital for us to understand how this new regime that we are creating is working. As he says, it is a UK strength, and we should play to that strength and not let it slip away inadvertently. We will not get the regime right first time, and we should not trust the platforms to tell us. We need access to independent researchers, and the amendments strike a good balance.
We look forward to the Minister deploying his listening ear, particularly to what the noble Baroness, Lady Harding, had to say on backstop powers. When he said in his opening speech that he would reflect, is he keeping open the option of reflecting and coming back at Third Reading, or is he reflecting only on the possibility of coming back in other legislation?
The noble Baroness, Lady Fraser, raised an important issue for the UK regulator, ensuring that it is listening to potential differences in public opinion in the four nations of our union and, similarly, analysing transparency reports. As she says, this is not about reserved matters but about respecting the individual nations and listening to their different voices. It may well be written into the work of Ofcom by design but we cannot assume that. We look forward to the Minister’s response, including on the questions from my noble friend on the consent process for the devolved Administrations to add offences to the regime.
Product Security and Telecommunications Infrastructure Bill
Baroness Neville-Jones ExcerptsTuesday 21st June 2022
(1 year, 10 months ago)
Lords ChamberRead Full debate Product Security and Telecommunications Infrastructure Act 2022 View all Product Security and Telecommunications Infrastructure Act 2022 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 16-I(a) Amendment for Committee (Supplementary to the Marshalled List) - (20 Jun 2022)
Lord Arbuthnot of Edrom (Con)
My Lords, Amendment 16 proposes a statutory defence for ethical hackers. I am grateful to the noble Lord, Lord Clement-Jones, and to the CyberUp campaign, for their help. Again, I declare my interests as chairman of the Information Assurance Advisory Council, chairman of the Thales UK advisory panel and chairman of Electricity Resilience Limited.
The Computer Misuse Act 1990 criminalised unauthorised access to computer systems. The methods used by cybercriminals and cybersecurity professionals are often identical, which is one of the things that makes the drafting of this amendment rather problematic. Usually, criminals do not have permission for what they do, and cybersecurity professionals do, but I am told by the CyberUp campaign that there are occasions on which that permission is difficult or impossible for a cybersecurity professional to get.
At Second Reading, I cited the case of Rob Dyke, who has been through a legal tussle with the Apperta Foundation, which has since been in touch with me to put its side of the story. It is clear that it feels strongly that it was right to pursue Mr Dyke until he gave undertakings that allowed it to drop its litigation. I do not know the rights and wrongs of that, but the Apperta Foundation supports the principles put forward by CyberUp for a legal defence for offences under the Computer Misuse Act.
In any event, the Government are carrying out a review into the 1990 Act. CyberUp’s submission to it sets out that many in the cybersecurity profession do not know whether what they are doing is legal. This is because legislation in 1990 came in before much of what now happens with computers had been thought of—so it inevitably created ambiguities. In the 1990 Act, no consideration was given—I remember because I was there—to web scraping, port scanning or malware denotation, and people are not sure that they are legal. Some of us are not sure quite what they are.
This is why there needs to be certainty for cybersecurity researchers; they need to be able to do things for the public good. We cannot rely on the National Cyber Security Centre for everything, because even the Government cannot keep up with the speed of technological development, as has been mentioned. The CyberUp campaign recognises that legislation also cannot keep up with the speed of change, so it has helped with drafting this amendment not with a view to seeing it enacted—my noble friend will resist it for a number of good reasons—but with a view to eliciting from the Government a statement about how they are getting on with this aspect of the review of the Computer Misuse Act.
One suggestion that the CyberUp campaign makes is that
“legislation to mandate the courts to ‘have regard to’ Home Office or Department for Digital, Culture, Media and Sport … guidance on applying a statutory defence that would, ideally, be based on the framework”
of principles. This includes, first, the prospective benefits of the Act outweighing the prospective harms; secondly, reasonable steps being undertaken to minimise the “risks of causing harm”; thirdly, the actor demonstrably acting “in good faith”; and fourthly, the actor being “able to demonstrate … competence”. Here we may come back to the standards/principle discussion that we had on the first group.
So I expect my noble friend to reject this amendment, but I should be grateful if he could say where the Government’s thinking on the matter is.
Baroness Neville-Jones (Con)
My Lords, I speak in support of this amendment. My noble friend has just said that he doubts that the Government will adopt it, but, like him, I want to know where their thinking has got to.
The Computer Misuse Act is one of the first bits of legislation passed in the cyber era. It is old and out of date, and it is fair to say that it contains actively unhelpful provisions that place in legal jeopardy researchers who are doing work that is beneficial to cybersecurity. That is not a desirable piece of legislation to have on the statute book.
Last year, before the consultation that closed over a year ago, I corresponded with my noble friend Lady Williams. The common-sense reading of her reply was that the Home Office was quite aware that the Computer Misuse Act needed updating. I confess that I am a bit disappointed that, a year after the consultation closed, there still has not been a peep from the Government on this subject—either a draft or a statement of intention. It would be good to know where the Government are going, because it is quite damaging for this legislation as it stands to remain on the statute book: it needs modernisation.
Like my noble friend, I recognise that actually getting the drafting right is tricky and complex. Drafting language that strikes the right balance is not all that easy. But inability to find an ideal outcome is not a good reason for doing nothing, so I live in expectation, because the best must not be the enemy of the good. If the Government do not intend to produce legislation that updates that Act, I should like to see something in this legislation, taking advantage of it, at least to move the dial forward and protect ethical hackers to a greater extent than is the case at the moment.
If the Government are concerned about our drafting, I am sure we would be willing to listen to suggestions on a better formulation. In the absence of that, perhaps the Minister will say when and how the Government intend actually to modify a piece of legislation that has served its time and now needs to be superseded.
The Earl of Erroll (CB)
My Lords, very quickly, I remember well during the passage of the Computer Misuse Act and the Police and Justice Act 2006 trying to tidy up language about hacking tools and so on. It became very complicated and no one could quite work out how to do it, because the same thing could be used by baddies to do one thing and by good people to help maintain systems, et cetera. In the end, I think it went into the Act and they just said, “Well, we won’t prosecute the good guys”. Everyone felt that was a little inadequate. I do not know quite what we are going to do about it but it needs to be looked at. Therefore, this is a good start and I would welcome some discussion around it, because we need something in law to protect the good people as well as to catch the criminals.