(8 years, 2 months ago)
Lords ChamberMy Lords, I will speak to our Amendments 252 to 254 and the other amendments in this group. To save the noble Lord, Lord Rooker, having to get to his feet, this one is from Apple.
As the noble Lord, Lord Harris of Haringey, just outlined, it is essential that end-to-end encryption is not compromised by technical capability notices. I anticipate that the Minister might say that Clause 231(3)(c) covers this in that it would not be technically feasible for the operator to remove electronic protection of this nature, but we support this amendment and believe that it needs to be explicit in the Bill. However, we do not believe that this amendment covers other forms of encryption. Our Amendment 252 is intended to protect UK operators from the real or perceived disadvantage they would be placed under if technical capability notices required them to make modifications that would make their product or service less secure than overseas operators, who may not be subject to or may refuse to comply with a similar technical capability notice.
Similarly, Amendment 253 is intended to prevent a technical capability notice stopping UK operators from innovating to improve the levels of security or encryption provided by their products and services in a way that would disadvantage them against overseas operators, which may not be subject to or refuse to comply with a similar technical capability notice.
Amendment 254 is intended to deal with the criticism of our amendment in Committee by the Minister, who said that he believed that it,
“would remove the Government’s ability to give a technical capability notice to telecommunications operators requiring them to remove encryption from the communications of criminals, terrorists and foreign spies”.—[Official Report, 13/7/16; cols. 272-73.]
This new amendment makes it clear that technical assistance can be given to enable interpretation and deciphering provided that it does not open the door to unauthorised access to encrypted materials by criminals, terrorists and foreign spies—essentially, what the noble Lord, Lord Harris, just said.
Amendment 252A, in the name of my noble friend Lord Strasburger, is an attempt to combine all the other amendments in this group into a much better-worded amendment. I look forward to hearing from him why this might be the case.
My Lords, I shall rise to that opportunity. Amendment 251, in the name of the noble Lord, Lord Harris, and my noble friends Lord Paddick and Lady Hamwee, addresses one particular kind of encryption—namely end-to-end encryption—and it is very good as far as it goes, which is end-to-end encryption. My own Amendment 252A is also in this group and is complementary to Amendment 251. It is, in my humble opinion, a neater way of dealing with encryption that is not end-to-end encrypted than the combination of the other amendments in this group: Amendments 252, 253 and 254. It is an alternative to them.
We have been around the block many times on the subject of encryption in the context of Clauses 229 to 231. It has come up several times in our debates on the Bill, as well as in questions in this House and in the Joint Committee on the Bill. Yet we are no closer to a clear and unambiguous understanding of the Government’s position on this vital issue, as the noble Lord, Lord Harris, has so eloquently said.
It might help if we start from common ground. I doubt that any noble Lord, myself included, would deny the authorities the option of requiring an operator to decrypt a communication where: the operator already possesses the capability to do so; the sender or receiver of the communication is genuinely suspected of committing or planning a serious crime; and the appropriate process has been followed and the action has been judged necessary and proportionate by a judicial commissioner. I do not think that anybody would argue about that.
I believe there is more common ground. Ministers have repeatedly confirmed that the Government fully accept that many uses of the internet that are now an essential part of everyday life, both for individuals and for large organisations, cannot possibly continue to happen without the security provided by unbreakable encryption.
If we take those two points as read, we are left with two questions about what happens if the operator is not able to decrypt the communication. The first is: should the Secretary of State be able to force an operator to redesign its product so that in future its encryption has a weakness that permits the operator, or perhaps GCHQ, to read a suspect’s messages? The other question is: should the Secretary of State have the power to prevent an operator introducing new or modified encryption services which neither the authorities nor the operator can break? The answer to both those questions is an unequivocal, “No, the Secretary of State should not have those powers”, and noble Lords will be hard pressed to find a single cryptography specialist who has a different view. If the Government concur, as I hope they do, they should have no problem accepting Amendments 251 and 252A, which would remove the ambiguity in the current drafting.
(8 years, 5 months ago)
Lords ChamberMy Lords, I rise to speak to Amendment 147A in my name and that of my noble friend Lord Paddick. My noble friend also has Amendment 156A in this group and he will speak to that amendment; I may have something to add on it after he has spoken.
Amendment 147A requires a judicial commissioner to authorise requests to obtain data from internet connection records. As it happens, this is a very hot topic because only this morning an Advocate-General of the European Court of Justice issued his opinion in the case brought by Tom Watson and, before his appointment to the Cabinet, David Davis. Of course this is not the final judgment of the court, but it is usual for it to confirm an Advocate-General’s opinion. This case concerns the Data Retention and Investigatory Powers Act 2014, one of the Acts that this Investigatory Powers Bill seeks to replace.
In particular, the ruling addresses the legality and the safeguards around the speculative retention of communications data. As such, it is of direct relevance to the provisions in this Bill regarding the retention of communications data and the retention of internet connection records. So I have discarded most of my speech and instead I will let the Advocate-General’s words speak for Amendment 147A on my behalf. At paragraph 236 of his ruling he states:
“Lastly, I would add that, from a practical point of view, none of the three parties concerned by a request for access is in a position to carry out an effective review in connection with access to the retained data. Competent law enforcement authorities have every interest in requesting the broadest possible access. Service providers, who will be ignorant of the content of any investigation file, are incapable of checking that requests for access are limited to what is strictly necessary and persons whose data are consulted have no way of knowing that they are under investigation, even if their data is used abusively or unlawfully … Given the nature of the various interests involved, the intervention of an independent body prior to the consultation of retained data, with a view to protecting persons whose data are retained from abusive access by the competent authorities, is to my mind imperative”.
So the Advocate-General is saying that, because the police have a strong interest in the request for the data, and because the service providers cannot judge the merits of the request, and because the subject of the request does not know that it exists, it is imperative, in his words, that an independent body should decide. Incidentally, he goes on to suggest that there could be exceptions in cases of “extreme urgency”.
To my mind, that independent body he speaks of can only be the judicial commissioner, which is precisely what Amendment 147A stipulates. If the Government believe that the independent body could be something other than the judicial commissioner, perhaps the Minister can inform the Committee when he responds, and say how the Government intend to incorporate the Advocate-General’s opinion, should it be confirmed by the court, into this Bill. I beg to move.
My Lords, I wish to speak to Amendment 156A in my name and that of my noble friend Lady Hamwee. Before doing so, I endorse wholeheartedly what my noble friend Lord Strasburger has just said. The decision of the Advocate-General released today appears very much to add considerable weight to the arguments in favour of Amendment 147A.
Amendment 156A is an amendment to Clause 83, headed, “Powers to require retention of certain data”. It would exclude internet connection records from the types of data that telecommunications operators can be required to store, and, as such, would effectively remove the only new provision—the use of internet connection records—from the Bill.
We believe that such an amendment is necessary for several reasons. Internet connection records do not do what the Government claim they do. They do not provide the police and security services with the internet equivalent of the communications data they already have—for example, access to mobile phone provider data. It is far more complex than that. At best, internet connection records provide only details of which communications platforms have been used, most of which are based in the United States.
Whether useful communications data can be accessed depends on voluntary co-operation by the American companies, which is unlikely in all but serious cases—for which there is an alternative. Internet connection records may provide leads, but they are difficult, complex and time-consuming to follow up. They fail the necessity test. The security services—MI5, MI6 and GCHQ—say that they do not need internet connection to be stored by telecommunications operators because they have other ways of securing the data that they need. In serious crime cases, GCHQ can, does and will help law enforcement to secure the communications data that the police need without recourse to internet connection records.
Indeed, there is a co-located joint operations cell in which the National Crime Agency and GCHQ have joined forces to tackle online crime—initially child sexual exploitation, but in the future other online crime as well. This information is in the public domain. At Second Reading, when I suggested that law enforcement could use security service powers instead of ICRs, the Minister said:
“But of course that is neither practical nor effective because many of the powers of the security services produce investigative material that is not admissible as evidence in a court of law”.—[Official Report, 27/6/16; cols. 1459-60.]
It would appear that the National Crime Agency and GCHQ agree with me rather than with the noble and learned Lord. Indeed, case studies that I was shown when I visited GCHQ tend to undermine the Minister’s assertion.
We began Committee stage by looking at RUSI’s 10 principles for the intrusion on privacy. I will quote just one, on “necessity”, which states that,
“there should be no other practicable means of achieving the objective”.
Internet connection records fail the necessity test. The National Crime Agency and GCHQ co-operation shows that there is a practical alternative.
My Lords, while my noble friend searches for his notes, would it be appropriate for me to make my short speech on this matter? No? I was just trying to help.
That gave me sufficient time. I apologise to the Committee; it has been a long day already. My noble friend Lady Hamwee and I also have Amendments 160 and 169A in this group.
Equipment interference can involve hacking into telecommunication systems or a network by deploying software that could compromise the security or integrity of that system or network, making them vulnerable to attack by not only the forces of good but the forces of evil. It can also expose the communications of everyone using that system or network.
Equipment interference can also involve hacking into someone’s phone or computer so that any communication can be seen by the police or the security services, including messages that are end-to-end encrypted. As the noble Lord, Lord Harris of Haringey, mentioned, that is crucial, particularly as more and more communication is encrypted. Basically, anything that the person sees on the screen of their phone or computer and any information contained on the device, the police or the security services can see as well. This may, however, make the device vulnerable to hacking by others.
Amendments 159 and 160 would include in the Bill safeguards to protect systems and networks, reduce collateral intrusion and ensure that critical national infrastructure is safeguarded by requiring those applying for equipment interference warrants to make a detailed assessment of the risks involved. Amendment 169A is intended to require the judicial commissioner who is asked to approve the warrant to also consider an assessment of the risks, although I am not sure that the wording is entirely right for that amendment. I beg to move.
My Lords, the Committee will get a feeling of déjà vu.
I rise to speak to Amendment 159 and others, and start by acknowledging that equipment interference—hacking, in common parlance—with a person’s computer or phone can be justified by known or suspected threats or by an actual incidence of serious crime. However, I still have two concerns. Some types of hacking pose a risk of serious unintended consequences for the target device and collateral damage to devices connected to it or even whole networks, right up to the national level. My other concern is that in the case of hacking by the police rather than by the security agencies there is a danger that a defence lawyer could, rightly or wrongly, claim that vital evidence located on the target device had been tampered with, so putting a successful prosecution at risk.
There are several known examples of large-scale unintended consequences of hacking by the authorities, and no doubt many more that we do not know about. One example is GCHQ’s attack on Belgacom, Belgium’s largest telecoms company, during 2010 and 2011. It involved infiltrating the home computers of several Belgacom staff to acquire their company passwords. Then highly sophisticated malware was installed on Belgacom’s systems to allow GCHQ to acquire large amounts of data. It cost Belgacom many millions of pounds and a lot of time to clean up its systems. Another example is a test by GCHQ that accidentally closed down an entire mobile network in a major city in this country for half a day. So there is a good case for the extra safeguards in Amendments 159 and 160, which are intended to reduce the risk of equipment interference going out of control, and I support them.
On the subject of the danger of allegations, accurate or otherwise, that the police had contaminated evidence in the device that they subjected to equipment interference, I would be interested to hear the Minister’s views. In the Joint Committee, my concerns were brushed aside by the police witnesses, but surely there is a serious danger that the police will be accused of planting, deleting or amending evidence just as they used to be about slipping incriminating evidence into the defendant’s pocket.
(8 years, 5 months ago)
Lords ChamberMy Lords, Amendment 17 in my name would provide for a statutory public interest defence for the offence set out in Clause 3. Clause 3 effectively reproduces the RIPA Section 1 criminal offence of phone hacking, of which the Prime Minister’s director of communications, Andy Coulson—among others—was convicted when he was editor of the News of the World.
I invite the House to support the amendment in this group proposed by the noble Baroness, Lady Hollins, which provides access to justice for victims of phone hacking and incentivises the adoption of the Leveson reforms which the Government have stalled on. But there is another matter which must be considered and which my amendment addresses—the absence of a statutory public interest defence for voicemail interception or any other type of breach of Clause 3.
Let us consider a situation where suspected serious wrongdoing is being investigated by a journalist or NGO and that journalist or NGO has no faith that the police will adequately investigate the matter; for example, a case of police corruption or, more practically, a case where the police have failed to investigate a case such as that of Jimmy Savile. In such circumstances, if the journalist or NGO intercepted voicemail messages which showed the corruption or illegality, and then exposed it, that person should have a defence that he or she can rely on.
Amendment 17 provides for this. The CPS can of course choose not to prosecute under the public interest arm of the “threshold test for prosecutors”, but that is not good enough. Prosecutors make their decisions on the public interest element after reviewing a file of evidence produced for them by the police and after an investigation which addresses the separate question of whether there is enough evidence to pass the first, evidential arm of the threshold test. Such a police investigation could last for months, if not years, and will involve interviews under caution, search warrants and perhaps arrest. That is a real disincentive to investigative journalism.
If there is a statutory public interest defence, the police will be able to see at an early stage that however much evidence they gather to prove that the act took place, or indeed even in the case of an admission, they will not be able to defeat the defence if the facts are clearly made out and their investigations will be curtailed. The benefit of a public interest defence therefore is not so much that it will allow investigators in the public interest to be acquitted at trial, or even that the CPS will choose not to prosecute on the evidential arm before even having to consider the public interest, but that the police will abandon investigations where the public defence is clearly made out in the facts. That will have the benefit of removing the chilling effect of potential police investigations and possible prosecution from investigative journalists who we rely on on these occasions to root out wrongdoing. Perhaps I may invite the Minister to engage in a constructive discussion about whether a narrow but valuable defence can be crafted. After all, noble Lords will be aware that there is a statutory public interest defence in Section 55 of the Data Protection Act, a provision that in Clause 1 of this Bill the Government are relying on as adequately protecting our privacy.
The investigative journalist Nick Davies of the Guardian exposed the hacking scandal. Had he had to intercept voicemail messages between Andy Coulson and one of the several convicted news editors who served under him in order to bring the story to our attention, that would have been in the public interest. It would not have been right that in the absence of a public interest defence which the police knew was valid, he had been arrested and questioned by the very police force whose failures he uncovered. That is why this amendment is so important and I commend it to your Lordships.
My Lords, my noble friend Lady Hamwee and I have Amendments 16, 20, 21, 22 and 84 in this group.
Amendment 16 concerns the offence of unlawful interception, but in the Bill as drafted that applies only to public telecommunications systems, private telecommunications systems and public postal services. It does not apply to private postal services. Examples of those could be the postal services used by the legal profession such as Legal Post and DX. Can the Minister inform the Committee why private postal services are not included in that provision?
Amendment 20 relates to the provision that,
“Conduct which has lawful authority for the purposes of this Act … is to be treated as lawful for all other purposes”.
Presumably, this provision is to avoid the problem we have had in the past where, while interception or equipment interference was allowed under one piece of legislation, it was an offence under the Computer Misuse Act 1990. Presumably, that is why this provision has been included, but surely it should apply to existing legislation—and it should state that it should apply to existing legislation—not to legislation in the future.
Amendment 21 is again about any other conduct under the Bill being treated,
“as lawful for all purposes”.
Surely this should not be as broad as that. It should be restricted to what is lawful only for the purposes of this Bill.
Amendment 22 concerns the service of monetary penalty notices. Paragraph 4(4)(g) of Schedule 1 allows for an oral hearing before the commissioner, but the amendment would add that the person who applies for and is granted an oral hearing before the commissioner can be legally represented.
Returning to something that I referred to in my opening remarks, Amendment 84 is about restrictions on unauthorised disclosures which as written would prevent the Secretary of State from disclosing the existence and contents of a warrant. The amendment would allow the Secretary of State to disclose the existence and details of a warrant if she felt it was necessary in order for Parliament to carry out its functions. As I mentioned before, I do not see how the argument can be made that the Secretary of State should be involved in the authorising of warrants because she can be held to account, when she is not able, under the terms of the Bill as drafted, even to admit that such a warrant exists.