Earl Howe
Main Page: Earl Howe (Conservative - Excepted Hereditary)Department Debates - View all Earl Howe's debates with the Ministry of Defence
Investigatory Powers Bill
Earl Howe Excerpts(8 years, 4 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
The Minister of State, Ministry of Defence (Earl Howe) (Con)
My Lords, Clause 48 maintains the position set out in RIPA that interception is lawful in certain circumstances in psychiatric hospitals. The clause sets out that interception is lawful if it takes place in any hospital premises where high-security psychiatric services are provided and is conducted in pursuance of, and in accordance with, any relevant direction given to the body providing those services at those premises.
While the clause provides that the interception is lawful, it is the relevant direction under the National Health Service Act 2006, the National Health Service (Wales) Act 2006, the National Health Service (Scotland) Act 1978, or the Mental Health (Care and Treatment) (Scotland) Act 2003, that sets out how and when the interception may be conducted—that is not a function of this Bill.
Clause 49 provides that certain interception carried out in relation to immigration detention facilities is lawful. The Immigration and Asylum Act 1999 contains powers for the Secretary of State to make rules for the management of immigration detention facilities, and Clause 49 provides that interception carried out in accordance with those rules will be lawful. At present, rules have been made only in respect of immigration removal centres—the Detention Centre Rules 2001. The interception of communications in relation to immigration removal centres, in line with the statutory rules, is purely for the purposes of maintaining the security of those centres or the safety of other persons, including detainees. It is right that officers should be able, for example, to intercept attempts to send controlled drugs or other contraband material into particularly sensitive and secure environments.
Contrary to speculative claims, this power can never be used to determine the outcome of any person’s asylum claim. Again, the precise circumstances in which interception may take place in immigration detention facilities are not a matter for the Bill. To be clear, the purpose of this clause is not to determine rules relating to the management of immigration detention facilities. The purpose of the clause is simply to make clear that conduct authorised and regulated under existing legislation—specifically, the Immigration and Asylum Act 1999—would be lawful.
Rules made under the 1999 Act about the regulation and management of detention facilities are subject to negative resolution, as specified in the Act and as agreed by Parliament. Such rules in relation to interception would be based on the clearly legitimate purposes already contained in the Detention Centre Rules 2001. The interception of communications in relation to immigration removal centres, in line with the statutory rules, is purely for the purposes of maintaining the security of those centres or the safety of other persons, including detainees, as I explained.
I hope the noble Baroness will accept that the amendments are unnecessary and that the clauses should stand part of the Bill.
Baroness Hamwee
My Lords, I have found it difficult throughout the Bill to accept that something is necessary just because it is in RIPA or is currently in effect. I am afraid I gave up chasing through the references in Clause 48—I thought my iPad was going to give out on me if I asked www.legislation.gov.uk any more questions on Sunday morning. I should have pursued this, and for that I apologise to the Committee. I think I am reassured by the explanations I have. I will go away and read the record, but I am grateful to the noble Earl.
Earl Howe
My Lords, in moving Amendment 73, I will speak also to Amendments 74, 75 and 76. I can be brief. These amendments add further conditions to Clause 50, which provides for circumstances in which a telecommunications operator may intercept communications in response to a valid overseas request. The additional conditions clarify that the Secretary of State must designate those international agreements to which this clause applies and require that the interception must be for the purpose of obtaining information about communications of people known, or believed to be, outside the United Kingdom. I beg to move.
“( ) the duties imposed by section 2 (general duties in relation to privacy);”
Baroness Hayter of Kentish Town
My Lords, as was mentioned, Amendment 89 stands in my name and that of my noble friend Lord Rosser. Clause 222(6) contains what is to me the unusual phrase:
“Different levels of contribution may apply for different cases or descriptions of case but the appropriate contribution must never be nil”.
“Must never be nil” is a slightly strange phrase, especially given that someone who, until a few hours ago, was the Home Secretary but is now the Prime Minister said on Second Reading:
“I reiterate … that … 100% of the compliance costs will be met by the Government”.
She was asked to provide a long-term commitment for that and said,
“we are clear about that in the Bill … it is not possible for one Government to bind the hands of any future Government in such areas, but we have been clear about that issue”.—[Official Report, Commons, 15/3/16; col. 821.]
However, being clear about the contribution which must never be nil is not what I call clarity.
Amendment 89 simply takes the then Home Secretary’s words as used in Parliament that the Government would meet 100% of the compliance costs, with full cost recovery for communication service providers, which, after all, have to implement the legislation. It is important to write it into the Bill to ensure that the financial impact of the legislation is transparent, not hidden, and to give forward confidence to those companies, whose activity in this country is already a little wobbly thanks to Brexit, that they will not at some point be hit by unexpected and unavoidable costs.
As was mentioned, Amendment 89 also allows for a proper audit to ensure that operators do not provide unduly high costings. Obviously, they can make no profit from these procedures because they are a departure from normal business, but they need those costs to be met. Cost recovery could be significant, but the Bill does not seem to put any limit on it at present. We will depend on the good will of these companies to make the Bill effective. We should not charge them for their willingness as well.
Earl Howe
My Lords, this amendment seeks to ensure that communications service providers are fully reimbursed for their costs in connection with complying with obligations under this Bill, and that arrangements for doing so are in place before the provisions in the Bill come into force. It is, of course, important to recognise that service providers must not be unduly disadvantaged financially for complying with obligations placed upon them. Indeed, the Government have a long history of working with service providers on these matters. We have been absolutely clear that we are committed to cost recovery. I want to reaffirm to the Committee a point that my right honourable friend the Security Minister made very clear in the other place: this Government will reimburse 100% of reasonable costs incurred by communications service providers in relation to the acquisition and retention of communications data. This includes both capital and operational costs, including the costs associated with the retention of internet connection records. I hope that that assurance is helpful.
The key question that this Committee needs to consider is whether it is appropriate for the Government of today to tie the hands of future Governments on this issue. I wonder whether, on reflection, the noble Baroness thinks it right to press for that. That does not mean that we take our commitment lightly or that future Governments will necessarily change course. Indeed, I suggest that it is unlikely ever to be the case; for example, the current policy has not changed since the passage of the Regulation of Investigatory Powers Act 2000 and so has survived Governments of three different colours or combinations of colours.
This Government have been absolutely clear that we practised cost recovery and we have been consistent in our policy for a very long time. Indeed, this Bill adds additional safeguards requiring a data retention notice to set out the level of contribution that applies. This ensures that the provider must be consulted on any changes to the cost model and also means that the provider would be able to seek a review of any variation to the notice which affected the level of contribution. The Government already have arrangements in place for ensuring that providers receive appropriate contribution for their relevant costs without delay, so the amendment that seeks to ensure that they are in place before the provisions come into force is, I suggest, unnecessary. Accordingly, I invite the noble Baroness to withdraw her amendment.
Baroness Hamwee
My Lords, I wrote down a number of phrases, including “not unduly disadvantaged”. In the light of the absolute, clear commitment to full cost recovery, I wonder whether “unduly” is the right term. I also wrote down “100% of reasonable costs” that ought to be covered by the audit provision. The noble Earl has just referred to an appropriate contribution for relevant costs. I am sure he will understand where I am going with these terms.
The noble Earl asks whether it is appropriate to tie the hands of future Governments. I would say that in this instance it is appropriate, because a future Government can bring forward future legislation and that would be the way to do it—not to seek to resile from what everyone regards as a very important commitment given, but where there is a detraction from it in the terminology of Clause 222. I do not know whether the noble Earl is in a position to make a comment about “unduly” now. I suspect he is not. It is a rather unfair question from me.
Earl Howe
We are clear that it is important to ensure that communications service providers are neither advantaged nor disadvantaged by obligations imposed under the Bill. The Government will maintain, therefore, their long-standing policy of making a reasonable contribution to costs, but it is unthinkable that the Government would seek to place any unreasonable financial burdens on a company simply for complying with a warrant. So we are talking about reasonable costs. That is surely right. It is not appropriate for the taxpayer to subsidise unreasonable costs, but as I have said, we have made a commitment to reimburse 100% of reasonable costs incurred by the communications service providers, and that includes both capital and operational costs.
(a) this Act;(b) the Intelligence Services Act 1994;(c) the Regulation of Investigatory Powers Act 2000;(d) the Regulation of Investigatory Powers (Scotland) Act 2000 (2000 asp 11).”
Earl Howe
My Lords, I shall also speak to the other government amendments in this group. These amendments seek to make minor changes to the notice-giving provisions in Part 9 of the Bill. Clause 225 provides for the Secretary of State to give a notice to a telecommunications operator in the United Kingdom requiring it to take steps in the interests of national security. Such a power is a critical tool in protecting our national security.
The power can only be exercised if the Secretary of State is satisfied that the steps required by a notice are necessary in the interests of national security and proportionate to what is sought to be achieved. The Government amended the Bill in the other place to provide for the application of the double-lock authorisation process to national security notices. This means that a national security notice could not be given unless a judicial commissioner had approved it.
This will replace the existing power in Section 94 of the Telecommunications Act 1984 which has been used for a range of purposes, including for the acquisition of communications data in bulk. This is now provided for in Part 6 of the Bill. Section 94 of the Telecommunications Act will be repealed. The power provided for by this clause will be used for a much narrower set of purposes than Section 94, but those purposes are nevertheless critical to our national security. The type of support that may be required from communication service providers includes the provision of services or facilities which would assist the intelligence agencies to carry out their functions more securely, or in dealing with an emergency as defined in the Civil Contingencies Act 2004.
A national security notice cannot be used for the primary purpose of obtaining communications or data. Clause 225(4) provides that a national security notice may not require the taking of any steps the main purpose of which is to do something for which a warrant or authorisation is required under the Bill. This amendment makes it clear that it is also the case that a notice may not require the taking of any steps the main purpose of which is to do something for which a warrant or authorisation is required under legislation which authorises the use of investigatory powers.
Amendment 90 lists the other statutes that provide for agencies to obtain data covertly—namely, the Regulation of Investigatory Powers Act 2000, the Regulation of Investigatory Powers (Scotland) Act 2000 and the Intelligence Services Act 1994. The amendment puts it beyond doubt that a national security notice cannot be used to circumvent the need to obtain a warrant or authorisation provided for in the Bill or in other relevant statutes.
I turn to Clause 226, which provides for the Secretary of State to give a technical capability notice to a telecommunications or postal operator requiring the operator to maintain permanent technical capabilities. The power builds on the current power in the Regulation of Investigatory Powers Act 2000 where a company can be obligated to maintain a permanent interception capability. The purpose of maintaining a technical capability is to ensure that, when a warrant is served, companies can give effect to it securely and quickly. The provision is particularly important when law enforcement or the security and intelligence agencies need to work at pace to identify and counter the actions of those who pose an immediate threat to the UK.
Subsection (7) of that clause provides for a technical capability notice to specify the period within which the steps set out in the notice are to be taken by the relevant operator. In practice, it will often be the case that a notice will require the creation of new technical systems. The time taken to design and construct such a system, including developing new pieces of technical hardware and implementing appropriate security measures, may lead to different elements of the notice taking effect at different times.
Government Amendments 94 and 95 propose a minor change to subsection (7) of the clause to make it clear that, where appropriate, a notice will permit different steps required in the notice to be taken at different times. The amendment will provide clarity to operators and ensure that the Bill reflects what needs to happen in practice. The Government propose a further minor amendment to the notice-giving provisions, this time to Clause 229, which provides for the Secretary of State to vary or revoke technical capability notices and national security notices.
Amendment 106 reads across provisions in Clause 228 that provide for the primacy of national security notices over aspects of the Communications Act 2003. The amendment does not change the effect of the provision but would make explicit that, when a national security notice is varied under Clause 229, the obligations in the notice as varied continue to have primacy over obligations imposed by Part 1, or Chapter 1 of Part 2, of the Communications Act 2003. The amendment replicates a provision previously provided for in the Telecommunications Act 1984, as amended by the Communications Act 2003, and removes any ambiguity about how the obligations set out in a national security notice as varied relate to those provided for in relevant parts of the Communications Act 2003.
Lastly, the Government propose Amendments 107, 110, and 111 to Clause 230. This clause makes provision for a person to request a review of the requirements imposed on them in a technical capability notice, or a national security notice. A person may refer the whole or any part of a notice to the Secretary of State for review after a notice is given or varied. The Government amended the Bill in the other place to provide for the double lock to be applied to the giving of notices. This means that a judicial commissioner must approve the Secretary of State’s decision to give a notice. The amendments that we are now considering would revise the review process to reflect this new role.
The proposed revised process is as follows: before reaching a decision on the outcome of the review, the Secretary of State must consult a judicial commissioner and the technical advisory board. The technical advisory board, a group of experts drawn from telecommunications operators and the intercepting agencies, will be required to advise on the technical feasibility of the requirements set out in a notice and the costs. The judicial commissioner will consider the requirements imposed by the notice on proportionality grounds.
As was previously the case, the judicial commissioner and the technical advisory board will be required to provide an opportunity for the person to whom the notice has been given and the Secretary of State to present evidence or make representations. The conclusions of the judicial commissioner and the board will be reported to the person and the Secretary of State. After considering these conclusions, the Secretary of State may decide to confirm the effect of the notice, vary the notice or withdraw it. Where the Secretary of State decides to confirm the effect of a notice or vary a notice, the Investigatory Powers Commissioner must approve the decision. Until the commissioner has approved the review decision, there is no requirement for the person who has referred the notice to comply with the specific obligations under review.
These amendments will strengthen the review process and will properly reflect the role of a judicial commissioner in approving the decision to give a notice. I hope the Committee will feel able to accept these amendments, and I beg to move.
Lord Paddick
My Lords, my noble friend Lady Hamwee and I have three amendments in this group. As a means of probing concerns about both national security notices and technical capability notices, we are suggesting that Clauses 225 and 226 stand part of the Bill, but we propose, in Amendment 92, that the provision in Clause 226(5)(c),
“obligations relating to the removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data”,
be deleted. These provisions are some of the most concerning for communications companies and the technology sector in the UK as they appear to provide open-ended and unconstrained powers, although I accept that the amendments that the Government have put forward today, as outlined by the Minister, provide significantly more oversight than was originally suggested in the Bill.
National security notices can require a communications provider in the UK,
“to carry out any conduct, including the provision of services or facilities, for the purpose of”—
this is in Clause 225(3)(a)(i)—
“facilitating anything done by an intelligence service under any enactment other than this Act”.
So the power is not limited to facilitating the use of powers under the Bill but any other legislation as well. The power is to do anything that the national security notice requires.
Technical capability notices enable the Government to require communications operators to comply with any “applicable obligations” specified in the notice, and the recipient must not only comply but must not disclose that they have been served with the notice, seemingly including, under Clause 226(5)(c), to remove encryption. However necessary or proportionate such notices may be—and I accept that, with the double lock now in place, that will be tested—there could be a suspicion that UK communications companies and the UK technology sector are subject to such notices, undermining customer confidence in the security of the network or device that they are using.
Although such a notice may be served to persons outside the UK, and may require things to be done outside the UK, such notices are not legally enforceable outside the UK. As well as undermining public confidence in the security of UK networks and technology, such notices have the potential to act as a competitive disadvantage to UK technology businesses. Instead of the power to force a company to remove encryption from a whole service or technology, alternative and more targeted powers should be used instead.
Lord Harris of Haringey (Lab)
My Lords, first, I should draw attention to my interests in the register on policing and counterterrorism matters. Secondly, I should make clear that my starting point on the Bill is that it is important that the developing gaps in access to communications data are addressed to protect the nation against all sorts of threats.
In any set of counterterrorism or counterespionage measures, or whatever else it might be, you have to look at the balance and weigh the benefit to the nation in protecting its citizens by having those powers against the potential downside or consequences of exercising them.
When we come to the question contained in this group of amendments—essentially about enabling or requiring companies to break the apparent encryption—we have to look carefully at the potential downsides presented by this. The first downside, or danger, is that by enabling this to happen—by creating the mechanism and requiring companies, as my noble friend Lady Hayter said, to make new arrangements so that encryption can be broken—you create a back-door mechanism. This would be available not just to the forces of good—those who are trying to protect all our security—but to cybercriminals and those who would do us ill. Therefore you need to weigh clearly what you are trying to do against whether you are creating something that will make it easier for criminals and those who would do us harm.
The second element is the extent to which what we do in this country sets a precedent that will be seized in other countries, whose interests may not be the same as ours or as positive as ours towards their citizenry. If we create that precedent, what is to prevent Governments in other countries saying that they want the same powers and therefore doing the same? That test has to be applied to quite a number of the measures in the Bill. As I say, my starting point is that I want the state to be able to fill the gap in its access to communications data that is emerging and opening up. However, I want to hear from the Government a clear explanation of why in this set of cases the benefits outweigh the potential disbenefits.
Earl Howe
My Lords, a number of amendments here separately seek to remove the encryption provisions from Part 9 or propose modifications to them.
I will begin with Amendments 92, 102 and 103, which propose removing the encryption provisions from Clauses 226 and 228. If these are anything other than probing amendments, I have to say that they are irresponsible proposals, which would remove the Government’s ability to give a technical capability notice to telecommunications operators requiring them to remove encryption from the communications of criminals, terrorists and foreign spies. This is a vital power, without which the ability of the police and intelligence agencies to intercept communications in an intelligible form would be considerably diluted.
Let me be clear: the Government recognise the importance of encryption. Encryption keeps people’s personal data and intellectual property secure and ensures safe online commerce. The Government work closely with industry and businesses to improve their cybersecurity. However, law enforcement and the intelligence agencies must retain the ability to require telecommunications operators to remove encryption in limited circumstances—subject to strong controls and safeguards—to address the increasing technical sophistication of those who would seek to do us harm.
Encryption is now almost ubiquitous and is the default setting for most IT products and online services. If we do not provide for access to encrypted communications when it is necessary and proportionate to do so, we must simply accept that there can be areas online beyond the reach of the law, where criminals can go about their business unimpeded and without the risk of detection. That cannot be right.
These provisions simply maintain the current legal position in relation to encryption and go no further. They retain the ability of law enforcement and the security and intelligence agencies to require companies to remove encryption that they have applied, or that has been applied on their behalf, in tightly prescribed circumstances. It would not—and under the Bill could not—be used to ask companies to do anything that it is not reasonably practicable for them to do.
The safeguards that apply to the use of these provisions have been strengthened during the Bill’s passage through Parliament. First, the “double-lock” authorisation process now applies to the giving of notices, which means that a judicial commissioner must approve the Secretary of State’s decision to give a notice. The Secretary of State must also consult the relevant operator before a notice is given. The draft codes of practice, which were published alongside the introduction of the Bill, make clear that should the telecommunications operator have concerns about the reasonableness, cost or technical feasibility of any requirements to be set out in the notice—which includes any obligations relating to the removal of encryption—it should raise them during the consultation process. Furthermore, the new privacy clause in the Bill requires that regard be given by the Secretary of State to the public interest in the integrity and security of telecommunications systems when deciding whether to give a technical capability notice.
Lord Paddick
Can the Minister comment on the fact that increasingly, encryption is end-to-end, and can he say whether national security notices and technical capability notices would be of any use in circumstances where people were using end-to-end encryption? Can he also comment on a suggestion that instead of these notices, targeted equipment interference would be more useful in that it could deal with the problem of end-to-end encryption?
Earl Howe
Certainly, targeted equipment interference is, if you like, the next step should interception not be possible for any reason. However, I will answer the noble Lord’s first question, on end-to-end encrypted services. We start from the position that we do not think that companies should provide safe spaces to criminals to communicate. They should maintain the ability, when presented with an authorisation under UK law, to access those communications. We will work with industry to ensure that, with clear oversight and the legal framework I have in part alluded to, the police and intelligence agencies can access the content of terrorists’ and criminals’ communications when a warrant has been approved in the usual way.
We will of course consider what steps are reasonably practicable for an individual telecommunications operator, taking account of a range of factors, including technical feasibility and likely cost. We recognise that what is reasonably practicable for one telecommunications operator may not be for another, so any decision will have regard to the particular circumstances of the case. However, I cannot go into our relationships with individual companies, as the noble Lord will understand. It is important to understand that the Bill does not ban encryption or do anything to limit the use of fully encrypted services.
Lord Strasburger
I thank the Minister for giving way. I think this is the first time I have heard the Government admit that the phrase “removal of electronic protection” does in fact refer to encryption.
I want to emphasise—and anybody in the cryptography industry will spell this out—that you cannot have it both ways. Either encryption is secure, or it is not; it cannot be insecure for a small group of users and secure for everybody else. Once encryption is weakened, it is weakened for everyone and once this is done at the request of the Government, it is available to all the people I listed earlier who would do us harm. I would also point out that there are a myriad of encryption products available outside the UK—ISIS has its own set, and I have seen the manual. There are any number of ways that people who want to use encryption for malign purposes can acquire it and use it in a way that UK companies cannot break.
Lastly, when I was at GCHQ, it seemed fairly relaxed about the threat of encryption because it is very confident that it can use the other means we have referred to, such as equipment interference, to get the unencrypted data it wants. But the main point, which the Government really do have to take on board, is that encryption is either strong or it is not. It cannot be partially strong—that is, strong for most and weak for the Government.
Earl Howe
I shall of course reflect on those points, which I was already aware of. It is important to emphasise that any encryption arrangements that a communications service provider has not itself applied, or had applied on its behalf, would almost inevitably fall outside these provisions because it would not be reasonably practicable for the company to de-encrypt. Many of the biggest companies in the world rely on strong encryption to provide safe and secure communications and e-commerce, but nevertheless retain the ability to access the contents of their users’ communications for their own business purposes—and, indeed, those companies’ reputations rest on their ability to protect their users’ data. In many cases, we are not asking companies to do something that they would not do in the normal course of their business, but I note what the noble Lord has said.
Amendment 93 deals with the subject of end-to-end encryption more specifically. This matter was discussed in detail in another place, so I will reiterate what was said there to explain why this is not an appropriate amendment. I have already outlined the strict safeguards that will apply. This amendment is not necessary because the Bill makes absolutely clear that a telecommunications operator would not be obligated to remove encryption where it is not reasonably practicable for it to do so. It is important to highlight that the amendment would in many cases prevent our law enforcement and security and intelligence agencies from being able to work constructively with telecommunications operators as technology develops to ensure that they can access the content of terrorists’ and criminals’ communications. Depending on the individual company and circumstances of the case, it may be entirely sensible for the Government to work with them to determine whether it would be reasonably practicable to take steps to develop and maintain a technical capability to remove encryption that has been applied to communications or data. But the amendment would signpost to terrorists and criminals that there are communications services they can use to communicate with each other unimpeded and which the authorities will never be able to access. That cannot be right.
Amendments 108 and 109 propose changes to Clause 230, which provides for a telecommunications or postal operator to request a review by the Secretary of State of the obligations imposed on it by a technical capability notice or a national security notice. The Secretary of State must seek the views of the Technical Advisory Board—a group of experts drawn from the telecommunications operators and the intercepting agencies—and the Investigatory Powers Commissioner before deciding the review.
Amendment 109 seeks to insert the double-lock authorisation process into that review. I contend that this is unnecessary. The Government have an amendment which provides that the Secretary of State must initially consult the judicial commissioner on proportionality, and that the Secretary of State’s decision following the review must be approved by the Investigatory Powers Commissioner. As I have explained, if after consulting the commissioner and the Technical Advisory Board, the Secretary of State decides to confirm the effect of a notice or vary it, the Investigatory Powers Commissioner must approve that decision, so the amendment is not required.
Amendment 108 seeks to require the Technical Advisory Board to consider the consequences for others likely to be affected by obligations imposed by a notice. This proposal was first raised in the other place and, following discussion, considered to be unnecessary. I will briefly explain why. First, the Technical Advisory Board has a very specific role to play in advising the Secretary of State on cost and technical grounds. This role is reflected in its membership. Board members are drawn from the telecommunications industry and those persons entitled to apply for warrants and authorisations under the Bill. These experts are well placed to consider the technical requirements and the specific financial consequences of the notice. If they consider it appropriate, they may look beyond cost and technical feasibility, but those factors are rightly their focus.
The responsibility for considering the broader effect of the notice on the operator to whom it has been given sits with the judicial commissioner, and it is right that the commissioner has this role. As part of any review into the obligations set out in a notice, the commissioner must report on their proportionality. This would include an assessment of its consequences, both for the person seeking the review and for anyone else affected by it. Furthermore, the clause requires the commissioner to seek out the views of the person who has received the notice. The person will have an opportunity to raise any concerns regarding the effect of the notice with the commissioner for consideration, and the commissioner must report his or her conclusions to the person and the Secretary of State. In my view, and as concluded following discussion in the other place, the Investigatory Powers Commissioner is rightly placed to carefully assess proportionality as a whole. The amended wording would introduce unnecessary duplication and ambiguity over what the board and Investigatory Powers Commissioner are each considering.
Finally, allow me to turn to another part of the Bill. I welcome the intent of Amendment 129, which seeks to clarify the scope of the restrictions on the acquisition of internet connection records. The clarity that noble Lords intend to create with this amendment is already provided in the code of practice, and I hope I can reassure noble Lords that there are good reasons why this definition should not appear in the Bill. The Bill already contains definitions of “telecommunications service” and “communication” which make very clear that a communication can include messages between individuals, between individuals and machines, and between machines. This maintains the existing position in RIPA, and it is absolutely right that the powers and, indeed, safeguards in this Bill apply to all forms of communication.
Taken in its broadest sense an “internet communications service” is simply a telecommunications service that involves communication over the internet and it should rightly include all forms of internet communication. But in the context of internet connection records the term is used to mean services that facilitate communications between two or more individuals, like email or social networking websites. An “internet service”, by contrast, is any other communication service a person could connect to over the internet, including person to machine communications, such as a person accessing a website. This distinction is made clear in the code of practice, which is the appropriate place for it because the definition has a different meaning in other contexts in the Bill.
I hope that noble Lords will be reassured that the definition is contained in the code of practice. We are concerned that defining “internet communications service” on the face of the Bill in the way proposed could cast doubt on the scope of the Bill in so far as it applies to internet communication services more generally. For all the reasons that I have set out, I ask noble Lords not to press their amendments.
Lord Harris of Haringey
My Lords, can the Minister clarify for me—I am sure that other noble Lords have got to the point precisely—that the requirements that the Bill seeks to create will apply only where a service provider has offered a service which most people might assume is secure and encrypted but has built in an existing arrangement which allows it to access it? Would it apply only in those circumstances? If that is not the case, perhaps the Minister could explain in what other circumstances it might apply. Can he further tell us whether there is an expectation in the Bill that, where a service provider is developing a new service, it must ensure that it has the facility to access what the user would assume are encrypted data?
Earl Howe
The answer to both questions is that it depends on what is reasonably practicable for the communications service provider. The power will apply usually to encryption that the provider has applied or has been applied on its behalf. If there are other circumstances where it would apply, I will take advice and write to the noble Lord, but we come back to what is reasonably practicable for the company. It is why the Government maintain a dialogue with communications service providers to ascertain what is practicable and what is not, and what would be cost effective and what would not be. However, broadly speaking, the noble Lord was right.
Lord Harris of Haringey
I am sorry to press the point, but I need to understand it. I understand the Minister’s answer in respect of the requirement applying where it is reasonably practicable because the encryption arrangement has been applied by the service provider, but is he saying that there is an expectation that in building new services a service provider should create something where it is technically possible for it to undermine that encryption? If so, that would raise a very different point which is important to clarify. Is the service provider required to make it technically practicable in future services as it develops them for this to be allowed?
Earl Howe
It might be, but it might not be. Again, it depends on what is reasonably practicable in the particular circumstances. Those circumstances might vary from provider to provider and from situation to situation, so it is not possible for me to generalise about this, but I will take further advice and write to the noble Lord about it.
Baroness Hayter of Kentish Town
My Lords, the Minister spoke about what is possible and reasonable, but the point of our Amendment 93 is that a notice may not impose the requirement to build a facility that would break end-to-end encryption. We may need to return to this on Report, but it would perhaps be useful to have a discussion between now and then about imposing the requirement to build capacity to break end-to-end encryption.
Lord Strasburger
I fear that the Minister is taking himself down a long cul-de-sac here, because the implication of what he is saying is that no one may develop end-to-end encryption. One feature of end-to-end encryption is that the provider cannot break it; encryption is private between the users at both ends. He seems to be implying that providers can use only encryption which can be broken and therefore cannot be end to end, so the next version of the Apple iPhone would in theory become illegal. I think that there is quite a lot of work to be done on this.
Earl Howe
I was certainly not implying that the Government wished to ban end-to-end encryption; in fact, we do not seek to ban any kind of encryption. However, there will be circumstances where it is reasonably practicable for a company to build in a facility to de-encrypt the contents of communication. It is not possible to generalise in this situation. I am advised that the Apple case to which the noble Lord referred could not occur in this country in the same way.
Lord Harris of Haringey
Is the Minister therefore saying the Government’s expectation is that service providers will in future ensure that it is reasonably practicable for them to access those communications? If that is the case, I think that he is raising a whole new group of issues.
Earl Howe
The Bill is clear that any attempt to obtain communications data must be necessary and proportionate, or it will not be permitted. It is crucial that the Bill provides a robust, legal framework which means that the law is consistently applied correctly. That is why we are introducing the double lock involving judges signing off warrants for the most intrusive powers, which means that the Secretary of State’s decisions, other than in the most urgent cases, will be independently scrutinised before warrants can be issued. I come back to the central point here, which relates to encryption: we do not think that companies should provide safe spaces to terrorists and other criminals in which to communicate. They should maintain the ability when presented with an authorisation under UK law to access those communications.
(a) ”
(a) ”
“( ) But the Secretary of State may vary the notice, or give a notice under subsection (9)(b) confirming its effect, only if the Secretary of State’s decision to do so has been approved by the Investigatory Powers Commissioner.”
“Approval of notices following review under section 230
(1) In this section “relevant notice” means—(a) a national security notice under section 225, or(b) a technical capability notice under section 226.(2) In deciding whether to approve a decision to vary a relevant notice as mentioned in section 230(9)(a), or to give a notice under section 230(9)(b) confirming the effect of a relevant notice, the Investigatory Powers Commissioner must review the Secretary of State’s conclusions as to the following matters—(a) whether the relevant notice as varied or confirmed is necessary as mentioned in section 225(1)(a) or (as the case may be) section 226(1)(a), and(b) whether the conduct required by the relevant notice, as varied or confirmed, is proportionate to what is sought to be achieved by that conduct.(3) In doing so, the Investigatory Powers Commissioner must—(a) apply the same principles as would be applied by a court on an application for judicial review, and(b) consider the matters referred to in subsection (2) with a sufficient degree of care as to ensure that the Investigatory Powers Commissioner complies with the duties imposed by section 2(general duties in relation to privacy).(4) Where the Investigatory Powers Commissioner refuses to approve a decision to vary a relevant notice as mentioned in section 230(9)(a), or to give a notice under section 230(9)(b) confirming the effect of a relevant notice, the Investigatory Powers Commissioner must give the Secretary of State written reasons for the refusal.”