Lord Paddick

- Hansard -

Copy Link

- - Excerpts

My Lords, I shall speak to Amendment 116 in my name and that of my noble friend Lady Hamwee. We also have our names to Amendments 154 and 235 in this group.

These amendments relate to a government commitment not to require telecommunications operators to retain third-party data. On 4 November 2015 in a Statement in the other place, the then Home Secretary said that the Bill,

“will not include powers to force UK companies to capture and retain third party internet traffic from companies based overseas”.—[Official Report, Commons, 4/11/15; col. 969.]

However, Clause 58(5)(c) states:

“An authorisation … may, in particular, require a telecommunications operator who controls or provides a telecommunication system to obtain or disclose data relating to the use of a telecommunications service provided by another telecommunications operator in relation to that system”.

Surely this means third-party data.

Amendment 116 would alter Clause 58(5)(c) to read, “may not require”. The key point here is that telecommunications companies should not be forced to obtain third-party data. The draft code of practice on communications data states at paragraph 2.61:

“A data retention notice can never require a CSP to retain the content of communications or third party data”.

Paragraph 2.66 states:

“A CSP cannot be required to retain third party data as part of an ICR”.

Amendment 154 would add a new subsection to Clause 83(2)—the clause headed “Powers to require retention of certain data”—to make explicit that a retention notice may,

“not require a telecommunications operator to retain any third party data, unless that data is retained by the telecommunications operator for its own business purposes”.

This is to distinguish between communications data that the telecommunications operator may have and being forced to acquire third-party data that it does not have.

Amendment 235 would restrict the definition of communications data in Clause 233(5) so that it relates to the provision of the service by that operator and not a third party. I beg to move Amendment 116.

The Minister of State, Ministry of Defence (Earl Howe) (Con)

- Hansard -

Copy Link

- - Excerpts

My Lords, as the noble Lord, Lord Paddick, has explained, these three amendments all deal with the issue of third-party data. Amendment 116 seeks to prevent public authorities from acquiring third-party data, Amendment 154 seeks to put the Government’s commitment not to require retention of third-party data on to the face of the Bill and Amendment 235 seeks to amend the definition of communications data to exclude from it third-party data.

On the acquisition of third-party data, the Bill maintains the existing position under RIPA that public authorities can acquire third-party data where necessary and proportionate to do so. But I want to be clear here—a provider is required to comply with a request for communications data, including a request for third-party data, only where it is reasonably practicable for them to do so. It is absolutely right that, where a communications service provider holds, or is able to obtain, communications data, whether in relation to its own services or those provided by a third party, then the data should be available to public authorities for the statutory purposes in the Bill. Put simply, data that already exist, are already held and which could save a life, convict a criminal, prevent a terrorist attack or provide an alibi, should not be put out of reach of law enforcement based solely on which company it is that holds the information.

Amendment 154 deals with the retention of third-party data. As I am sure the noble Lord knows, this matter was considered in the Commons, where the Government gave a commitment to consider it further. I am grateful to the noble Lord and the noble Baroness for tabling this amendment and giving me an opportunity to update the Committee on those considerations. My right honourable friend the Home Secretary has given a clear commitment that we will not require a telecommunications operator to retain third-party data, and that commitment is given effect to in the Communications Data Draft Code of Practice. However, distilling that commitment into primary legislative drafting is complex. We do not want to include provisions in the Bill that are not entirely clear in scope or which put in place restrictions that are broader, or indeed narrower, than intended. But we have been making good progress and are close to a provision that we think achieves the desired outcome. Of course, we need to test that drafting with operational stakeholders and with those telecommunications operators likely to be affected by the legislation, but we hope to be able to return to this issue on Report.

Finally, on Amendment 235, the principle of what are communications data is clear. Changing that position so that the classification of data changes depending on which provider holds them would no doubt cause confusion among providers as to how the data should be handled. While I understand the concerns around third-party data, and hope that what I have said today lays some of those to rest, amending the definition of communications data is not the right way forward. I invite the noble Lord to withdraw Amendment 116.

Lord Strasburger (LD)

- Hansard -

Copy Link

- - Excerpts

My Lords, I shall speak briefly on the amendments on the request filter. Along with internet connection records, the request filter is another power that first appeared in the draft Communications Data Bill and which died along with that ill-fated Bill. The view of the pre-legislative Joint Committee on that Bill, on which I sat, was that,

“the Request Filter introduces new risks, most obviously the temptation to go on ‘fishing expeditions’. New safeguards should be introduced to minimise these risks”.

The request filter was described as,

“essentially a federated database of all UK citizens’ communications data”.

I dare say that the committee would be even more worried when it said that in 2012 if it had seen how this Bill expanded the range of data to which the request filter can be applied. That expansion comes from the proposed introduction of internet connection records, which would reveal every detail of a person’s digital life and a very large part of their life in the real world. The effect of the request filter will be to multiply up the effect of intrusion into those data by allowing public authorities to make complex automated searches across the retained data from all telecoms operators. This has the potential for population profiling and composite fishing trips. It is bulk surveillance without the bulk label.

Use of the request filter would be self-authorised by the public authority without any judicial authorisation at all. The concept that the Government promote for bulk data is that they are passive retained records, which they say sit there unexamined until someone comes to the attention of the authorities. That concept is negated by the request filter. The data become an actively checked resource and are no longer passive. Will the Minister confirm that the request filter is not yet in existence and is not yet being used?

The request filter is a bulk power masquerading as an innocuous safeguard to reduce collateral intrusion. Unless and until the Government come forward with proposals to strictly limit use of the request filter through tighter rules and judicial approval for warrants, as is the case with other bulk powers, Clauses 63, 64 and 65 should not stand part of the Bill.

Lord Butler of Brockwell (CB)

- Hansard -

Copy Link

- - Excerpts

My Lords, I find the amendment moved by the noble Lord, Lord Paddick, difficult to understand. He made the point that the filter arrangement makes the operations of the police easier, but it makes them easier by ensuring that they do not inspect communications data which are not relevant to their purpose. It therefore protects privacy rather than threatens it. The filter is governed by the requirements of the rest of the Bill. It will apply the tests of necessity, proportionality and the protection of privacy. It is a protection of privacy rather than a threat to it.

Lord Harris of Haringey

- Hansard -

Copy Link

- - Excerpts

My Lords, as I said earlier in Committee, it is important that, in assessing any proposal made in the Bill, we strike the balance between the need for it and any possible negative consequences, and whether that may weaken the security of a device, enabling the malign elements, as opposed to benign, to penetrate systems. As I understand it, the purpose of the amendment is to try to ensure that that balance is clear in the Bill. It would place an obligation on those seeking warrants and those considering them to look at whether that balance has been struck and ensure that it has.

It is reasonable for those seeking warrants to demonstrate that they have considered whether there are any negative consequences of the action they are prepared to take, particularly if it leads to a weakening of the general security of a wider system that may mean it is prone to attack from cybercriminals or others accordingly, or that there is likely to be a large amount of collateral damage in other people’s information being made available to the authorities.

I make it clear that I do not think the fact that the information of other people who are not the purpose of a warrant may be compromised is necessarily a reason why we should not proceed with this. It should be balanced with the consequences. For example, I can conceive of circumstances where a warrant might be sought for a machine in an internet café. Clearly, that is because certain individuals are thought to be using it. In any application I would want consideration to be given to what would be done about those other, presumably entirely innocent individuals who might use the same machine.

I am concerned that, as part of the process, there should be consideration of the downsides of a particular application: whether it is weakening the system or interfering with the privacy of other people who are not specifically targeted. If either is the case, there should be clear consideration of what can be done to minimise those risks. The fact that another person is not the subject does not necessarily mean that it should not be proceeded with. It is a matter of proportionality—the benefits that will be gained from the action being taken and whether those are properly considered by those making the application and those considering whether to approve it. For those reasons, the amendment is broadly helpful. I hope that Ministers may be prepared to accept this or something like it to provide that assurance.

Earl Howe

- Hansard -

Copy Link

- - Excerpts

My Lords, Amendments 159 and 160 would introduce new clauses requiring the person making an application for a warrant to make a detailed assessment of the risks of the proposed equipment interference activity to any critical national infrastructure, to the security and integrity of systems and networks, and to the privacy of those not targeted. Amendment 164 is linked to the requirement to produce risk assessments and would require the Secretary of State, when issuing warrants to the Chief of Defence Intelligence, to consider the content of these assessments when deciding whether the activity under the warrant would be proportionate. Amendment 169A would require a judicial commissioner to take into account a technical cyber risk assessment, conducted by the Investigatory Powers Commissioner, of the specific equipment interference proposed when deciding whether to approve a decision to issue a warrant.

I start by making an important general point. It seems these amendments are based on a fundamental misinterpretation of what GCHQ and others are here to do. Their role is to protect the public. That includes protecting cybersecurity. Indeed, the Government have invested very considerable resources into improving our cybersecurity efforts. Last November, the Chancellor announced the creation of a new national cyber centre led by GCHQ, with an additional £190 million of funding.

GCHQ has an excellent track record in identifying cyber vulnerabilities and making leading computer companies aware so they can improve their security. For example, in September 2015, Apple publicly credited CESG, the information assurance arm of GCHQ, with the detection of a vulnerability in its iOS operating system for iPhones and iPads, which could have been exploited to allow the unauthorised modification of software and to extract information from the devices. That vulnerability has now been patched.

I appreciate that the noble Lords’ amendments are intended to introduce safeguards, but I contend that sufficient safeguards are already contained in the Bill. Part 5 already requires the Secretary of State or law enforcement chief to consider whether the proposed conduct is necessary and proportionate before issuing a warrant. The Government have provided even more reassurance since the discussion of these same amendments in the other place. As we have frequently reflected, Clause 2 is a new provision that sets out overarching privacy duties. It includes a requirement to have regard to the public interest in the integrity and security of telecommunication systems. This requirement applies to any decision on whether to issue an equipment interference warrant.

The draft statutory code of practice also sets out, in detail, the factors that must be considered in respect of proportionality. The code states at paragraph 3.27 that one element of proportionality that should be considered is,

“explaining how and why the methods to be adopted will minimise the risk of intrusion on the subject and others”.

It goes on to state at paragraph 3.30:

“Equipment interference activity must therefore be carried out in such a way as to appropriately minimise the risk that the activities of the equipment interference agency would result in any increase of the likelihood or severity of any unauthorised intrusion into the privacy, or risk to the security, of users of equipment or systems, whether or not that equipment is subject to the activities of the equipment interference agency”.

If noble Lords will allow me one last quote, paragraph 3.31 states:

“Any application for an equipment interference warrant should contain an assessment of any risk to the security or integrity of systems or networks that the proposed activity may involve including the steps taken to appropriately minimise such risk … The issuing authority should consider any such assessment when considering whether the proposed activity is proportionate”.