(8 years, 8 months ago)
Public Bill CommitteesThat is a fair argument and that is why it is necessary to supplement what the hon. and learned Gentleman describes with the code of practice in the way that I have described. My invitation to him was that if he accepts that, he might want to focus attention on the code of practice to see whether it is as good as it might be. I drew attention to the provision on the necessity and proportionality. It might be that the draft could be further improved. After all, nothing, at least on earth, is perfect, and certainly no Government would want to claim perfection—
Is it not impossible that privacy will not be considered as part of any application? Proportionality runs through the authorisation regime, and if a single point of contact has to apply a proportionality test, by definition and necessity, he will incorporate a wide-ranging consideration of the impact on privacy.
(8 years, 8 months ago)
Public Bill CommitteesWelcome to the Chair, Mr Owen, for my first contribution to this Committee.
Regarding amendments 59 and 60, is it not the position that bulk interception is provided for under section 8(4) of RIPA and is therefore subject to tests of necessity and proportionality? If it relates to a British citizen within the British Isles and an analyst wishes to select for examination the content of the communication of an individual known to be located in the British islands, the analyst has to apply to the Secretary of State for additional authorisation under section 16(3) of RIPA—similar to section 8(1). There are robust and extensive safeguards in place for this purpose.
I am delighted to be able to say in response to that extremely well informed intervention that my hon. Friend is right. The Bill does not actually add to bulk powers, contrary to what some have assumed and even claimed. In the sense that it reinforces safeguards and maintains the ability of our agencies to collect bulk data, it builds on what we already do. The Bill pulls together much of the powers in existing legislation; part of its purpose is to put all of those powers in one place, making them easier to understand and more straightforward to navigate. She is absolutely right; we took those powers in RIPA because they were needed to deal with the changing threats and the character of what we knew we had to do to counter them. That was done in no way other than out of a proper, responsible desire to provide the intelligence agencies with what they needed to do their jobs.
To return to amendments 59 and 60, when people are discovered to be outside the country and are subject to an investigation by the security services they do not usually present their credentials for examination, and it is important that the powers we have fill what would otherwise be a gaping hole in our capacity to do what is right and necessary. The aim of the Bill is to place vital powers on a statutory footing that will stand the test of time.
Amendment 83 relates to clause 14 and the definition of secondary data. It is important to point out that it has always been the case that an interception warrant allows communications to be obtained in full. Historically, that has been characterised in law as obtaining the content of communication and of any accompanying “related communications data”. However, as communications have become more sophisticated it has become necessary to revise the definitions to remove any ambiguities around the distinction between content and non-content data and to provide clear, simple and future-proof definitions that correctly classify all the data the intercepting agents require to carry out their functions.
Secondary data describes data that can be obtained through an interception warrant other than the content of communications themselves. Those data are less intrusive than content, but are a broader category of data than communications data. For example, it could include technical information, such as details of hardware configuration, or data relating to a specific communication or piece of content, such as the metadata associated with a photographic image—the date on which it was taken or the location—but not the photograph itself, which would, of course, be the content.
I want to make it clear that the data will always, by necessity, be acquired through interception. The definition does not expand the scope of the data that can be acquired under a warrant, but it makes clearer how the data should be categorised. Interception provides for the collection of a communication in full and the amendment would not serve to narrow the scope of interception. It would, however, reduce the level of clarity about what data other than content could be obtained under a warrant. It would also have the effect of undermining an important provision in the Bill. In some cases secondary data alone are all that are required to achieve the intended aim of an operation or investigation. That is an important point. Another misconception is that it is always necessary to acquire content to find out what we need to know. In fact, sometimes it is sufficient to acquire simpler facts and information. For that reason, clause 13 makes it clear that obtaining secondary data can be the primary purpose of an interception, and the kind of data that can be obtained under a warrant is also set out.
Narrowing the scope of secondary data would reduce the number of occasions on which the operational requirement could be achieved through the collection of those data alone, resulting in greater interference with privacy where a full interception warrant is sought. Where we do not need to go further we should not go further. Where secondary data are sufficient to achieve our purposes, let that be so.
Secondary data are defined as systems data and identifying data included as part of or otherwise linked to communications being intercepted. Systems data is any information that enables or facilitates the functioning of any system or service: for example, when using an application on a phone data will be exchanged between the phone and the application server, which makes the application work in a certain way. Systems data can also include information that is not related to an individual communication, such as messages sent between different network infrastructure providers, to enable the system to manage the flow of communications.
Most communications will contain information that identifies individuals, apparatus, systems and services or events, and sometimes the location of those individuals or events. The data are operationally critical to the intercepting agencies. In most cases, the information will form part of the systems data, but there will be cases when it does not. When the data are not systems data and can be logically separated from the communication, and would not reveal anything of what might reasonably be considered to be the meaning of the communication, they are identifying data. For example, if there are email addresses embedded in a webpage, those could be extracted as identifying data. The definitions of systems data and identifying data make clearer the scope of the non-content data that can be obtained under the interception warrant.
The fact that the definition of secondary data is linked to clear, central definitions of systems and identifying data ensures that there can be consistent application of powers across the Bill to protect privacy and that data can be handled appropriately regardless of the power under which it has been obtained.