(8 years, 1 month ago)
Lords ChamberMy Lords, I am sure that the entire House is grateful to the noble Lord, Lord Paddick, for giving us a comprehensive list of ways in which we can try to keep our communications secret and away from prying eyes. I am sure that every Member of the House is grateful for that tutorial, but the noble Lord does rather elide the question of those people who perhaps have not had the benefit of his tutorial. I realise that the whole world of terrorism and organised crime is listening with intent to every word that he says on these matters, but there will be such. He gave a specific example, saying that communications data in the past would have demonstrated that X had contact at a travel agent. When I book train tickets, I usually do not use WhatsApp or a VPN—I simply go online and connect to the relevant train company. So if somebody wanted to find out whether I had been booking a train ticket, my internet connection record would provide that information. I therefore do not quite understand the argument that, because there are ways that you can avoid the state knowing what you have done if you are really determined, you should therefore prevent it knowing what you have done if you are not really determined.
My understanding is that not all terrorists and not all organised criminals are terribly good with this stuff—that they make mistakes—so the horrifying consequences that the noble Lord describes therefore might not actually occur, and instead, a lot of very nasty people will be caught, because they do not have the noble Lord’s encyclopaedic grasp of ways of keeping communications secret.
Amendment 118A seeks to prevent the creation and collection of internet connection records. My noble friend Lord Paddick has explained why ICRs are of little security value, and that they would be very difficult and expensive to collect and make use of. The only democracy to try was Denmark, which gave up after years of fruitless effort. It tried again at the beginning of this year with a project almost identical to the one planned by the Home Office, but quickly abandoned it when independent auditors confirmed that it would be prohibitively expensive.
I wish to draw the House’s attention to two other serious drawbacks that would arise from creating and storing internet connection records. The first is the serious impact on the privacy of every user of the internet in this country. We must remember that internet connection records do not currently exist, and until quite recently—say, 25 years ago—all the electronic data that would have to be collected together to create ICRs did not exist, either. In those days, our private interactions with those close to us left no trace. A conversation over lunch, a cash purchase at a shop, a visit to a library to do some research, attendance at a political meeting, a romantic assignation—all left no record of having happened. They were ephemeral. What happened between your four walls was between you and your God.
Fast forward to today, and we find that all the interactions I have just mentioned now leave an electronic trail behind them. A combination of credit card records, location services on our phones, our emails and text messages and records of every website we visit will give the whole game away—including the identity of whom we met at our assignation. If internet connection records are created and kept by our service provider, all these electronic trails will be available to hundreds of public authorities, not just the police and security services, on demand and simply by self-authorisation.
The Government have given this data the name “internet connection records”, which is technically accurate, but what they really are is private activity records: a log of everything we do and when and where we do it. The problem is not that the surveillance can occur at all, but that it happens indiscriminately to all of us, all the time. My second topic is the ironic fact that ICRs will actually reduce our security, rather than improve it, because of the virtual certainty of thefts of some of that private and personal data about every internet user in the country. If you do not believe me, consider just a few of the thousands—and I mean thousands—of recent data thefts from high-security establishments. I mentioned in Committee that SWIFT, the fulcrum of the global financial payments system, has had $81 million stolen from it by hackers. Last week, it emerged that it has been penetrated a second time. A gang of five eastern Europeans is believed to be behind the theft of 3 billion sets of customer data worldwide from many of the world’s leading tech companies, including the data of 500 million Yahoo! customers. As I mentioned earlier, powerful hacking tools belonging to the NSA, the American equivalent of GCHQ, suddenly appeared on the internet in August having been stolen from it, and two Israelis and an American stole 100 million people’s records from 12 US financial institutions. Those are just a few examples—as I say, there are many more—of thefts from sites which, dare I say it, were seemingly far more secure than those of UK service providers.
Internet connection records, or private activity records, will be stolen and the consequences will range from embarrassment to blackmail and fraud for the unfortunate victims. In the case of people in positions of responsibility, including government officials, the consequences could be catastrophic. Far from making us safer, ICRs would compromise our security and, as I have explained, seriously intrude on our citizens’ privacy. We should have nothing to do with them.