Baroness Ludford
Main Page: Baroness Ludford (Liberal Democrat - Life peer)Department Debates - View all Baroness Ludford's debates with the Home Office
(9 years, 10 months ago)
Lords ChamberMy Lords, the amendment stands in my name and those of my noble friends Lady Hamwee and Lord Paddick. I shall speak also to Amendment 77. In this grouping, there is also Amendment 78 of the noble Baroness, Lady Smith of Basildon.
The Explanatory Notes refer to data that are “necessary” to attribute internet protocol addresses to a person or device. However, that word does not appear in the Bill; I believe that something similar happened in the draft Communications Data Bill in 2012, which was picked up by the committee on the draft Bill. There is a tendency to put “necessary” in Explanatory Notes but not to transfer that to the Bill. Amendment 76, therefore, at least seeks to apply the test of “necessary” to communications data that could,
“assist in identifying, which internet protocol address … belongs to the sender or recipient of a communication (whether or not a person)”.
At least it tightens up, somewhat, the scope of communications data—relevant internet data—required.
I have seen an itemisation of possible data—I confess that I do not know what the origin was, but it refers to possible data which would be required to be retained. I state just for interest that it includes,
“account-to-IP address mappings for broadband … source IP address and port for NAT on mobile and cloud networks … MAC addresses on cloud WiFi networks … source port information in server logs”,
and:
“MAC addresses from end-user equipment”.
This is above my technical pay grade and I think we need some clarity about what sort of information is being required. Therefore, in Amendment 77 we are requesting that when the term “other identifier” is used, meaning an identifier used to facilitate the transmission of a communication, what qualifies as “other identifier” should be specified in regulations made by the Secretary of State.
I have seen it cited that there has been consultation with industry on these matters. Certainly, the Internet Services Providers’ Association has complained that it was not consulted on this section on the collection of IP addresses. It posted something on its website on 24 November, so something may have happened in the intervening two months, but it certainly felt at that time that it had not been consulted. Of course the association would be qualified, as the experts, which I am not, to know what is being talked about here and what is, indeed, necessary and essential to identify an IP address.
I mentioned at Second Reading that the Bill refers to,
“the sender or recipient of a communication (whether or not a person)”.
I still believe that it is somewhat misleading to suggest that a person can be identified from an IP address. Even with a static IP address allocated to a particular device or subscriber, you would at best know who the subscriber was, but you would not necessarily know who was using the device at a particular time. It may not have been the subscriber; it may have been a friend, a relative or a business associate. If it is a dynamic IP address I understand that there can be tens of thousands of people who could have used it. Even with this other information, even if you can identify the device that was using it at 4.12 pm on a Tuesday afternoon, it is still not clear that you can, of itself, then identify the person using it. You would need other investigations—police investigations—to ascertain who precisely was using the device.
I hope that I have conveyed the meaning of Amendments 76 and 77, which seek to put greater precision into the Bill as to what further communications data are being required to be kept.
My Lords, our Amendment 78 in this group seeks to make it explicit that the extra data retention provided for in Clause 17 does not extend beyond that which is necessary for the purpose of identifying a user from the internet protocol address. The amendment is not meant to impact on the rest of the Data Retention and Investigatory Powers Act.
Clause 17 amends the definition of “relevant communications data” in the Data Retention and Investigatory Powers Act 2014. The clause expands the definition of “relevant communications data” to include an extra category of data—described as “relevant internet data”—in Section 2 of the DRIP Act, to allow the Secretary of State to use powers under Section 1 of that Act to bring in regulations to ensure that this “relevant internet data” is retained by communications service providers. Essentially, the Government are using this fast-track primary legislation to amend emergency primary legislation from last July to enable the Secretary of State to bring in secondary legislation relating to a clause in this Bill, which extends the current provision on data retention.
My Lords, I appreciate my noble friend’s extensive reply and explanation. I am still somewhat uneasy that the terms of the Bill are permissive in that the data may need to be retained if it may “assist in identifying”, which is quite loose language. Will my noble friend explore whether there is any way of getting further precision? Presumably the limit of the extent of the kind of data we might be talking about is known, and I feel that what the data are should be spelt out somewhere, even if it is a broad list, so that everybody can understand this matter—I shall join him in the tutorial that he has invited the noble Baroness, Lady Lane-Fox, to carry out, as I have already frankly admitted my own ignorance. It is not helpful to have potential legislation when people do not know what data on them will be retained. It seems reasonable to ask my noble friend to reflect further on the idea of importing the words “necessary and proportionate”, which I think he used, into the Bill and/or to consider further whether it is possible to spell it out in regulations. In awaiting, I hope, that further reflection, I beg leave to withdraw the amendment.
My Lords, I apologise for not being able to speak at Second Reading. I was detained at a board meeting.
This House has given me many occasions to feel both alarmed and surprised. Today is no exception, first, in describing Tinder to my Back-Bench friends during an earlier part of the debate and, secondly, in rising to speak against four noble Lords for whom I have the greatest respect and who have offered me enormous friendship since I entered your Lordships’ House. I should like to cite three brief reasons why I oppose the amendment.
First, I wholeheartedly agree that we need a more detailed, complex and timely debate around this enormously complicated issue. The Government were slow to react compared to the quick review by America of the oversight and security services post-Snowden. This Government have looked lacklustre in their response. However, different processes are under way.
I declare an interest as being part of a panel set up by the Deputy Prime Minister and administered by the Royal United Services Institute. The Information Commissioner work is also continuing and we have the emergency legislation referred to as DRIP, which has already been talked about this afternoon. I believe it is very important that those pieces of work reach the next stage and that the debate in Parliament puts all of them into the mix.
Secondly, it is easy to underestimate the power of the public’s view on this subject. The noble Lord, Lord West, mentioned that he thinks that the public are fairly disinterested in this issue but I disagree wholeheartedly. A YouGov survey found that only 6% of people believe that the Government have a coherent data strategy but that it affects them directly. Another poll whose results I saw recently said that just 2% of people trust the Government when it comes to their data. That is immensely important for the reason that the noble Lord, Lord Paddick, most eloquently espoused earlier—to build trust and engagement among exactly the groups that this legislation is trying to reach.
More than that, perhaps I may give two technical examples that make me believe that such trust is so vital. There is now a move towards more and more use of the dark web—a place where it is very difficult to collect any data—and towards more and more encryption. At one end of the spectrum is a small start-up—actually it is not so small any more—called Wickr. This was started by a woman in the US and it enables communications to remain completely secure. Imagine sending a message that is never stored on any server anywhere. Not only does it disappear remotely in your hand but also it never stays on the network. She has had enormous success in building her app—quite understandably for many people, who believe that they should have a private mechanism for communication and that the Snowden revelations have shown that systems are not safe or secure. Then, more in the mainstream, we have Facebook, which has recently asserted that it is starting a sub-site on the dark web—the unregulatable and uncontrollable web—so that its customers can feel safe.
If we do not listen to what the world is doing and move and engage with it, allowing people to feel that their concerns around security are being addressed, there is a danger that we will take a retrograde step with communications Bills, such as with this amendment.
Finally, I believe that we need to engage much more deeply with both civil liberties groups and the industry itself. Here, I agree with a recent statement by President Obama, which I hope the Committee will forgive me for repeating. At the press conference in Washington which he shared with our own Prime Minister, he said in answer to a question about surveillance and about whether there was a swing to security from privacy:
“In six years I and the Prime Minister have seen a constant threat stream across our desks—the pendulum doesn’t need to swing but we need a consistent framework. There needs to be a debate about the laws and the discussion needs to involve the tech industry, who have responsibilities not only to security but also to the customers who use their products, and it also needs to involve the civil libertarians who are tapping us on the shoulder”.
I urge the Government to address the very real concerns of the general public on the one side and the security services on the other, particularly about the boundaries and framework for data collection, but I urge them not to do so by way of this amendment.
My Lords, there are objections of both process and substance to these amendments which make it inopportune and injudicious to cut and paste this amendment into the Bill—to “bounce” it into the Bill, in the words of my noble friend Lord Blencathra, whose speech I thoroughly commend. As the noble Baroness, Lady Lane-Fox, has just mentioned, there is an issue of trust. We all know—it is commented on with great regularity—that there is very little trust in politicians and parliamentarians. The noble Baroness, Lady Neville-Jones, even though she would like an updated communications data Bill, referred to the poor reputation of the existing model. However, it is the existing model, shorn of the safeguard of judicial authorisation and scrutiny and the safeguard of restrictions on the exercise of powers, that it is proposed should be inserted in the form of these amendments.
I have counted five current reviews of investigatory powers, which make it bad timing to proceed with the substance of these amendments. As I understand it, there is one by the Independent Reviewer of Terrorism Legislation, David Anderson, another by the Intelligence and Security Committee, another at the request of the Deputy Prime Minister by the Royal United Services Institute, another by Sir Nigel Sheinwald on the international aspects, and one by the Interception of Communications Commissioner, Sir Paul Kennedy, into the use of RIPA to identify journalists’ sources. With all those reviews going on, I think it is rather disrespectful to them to say, “Well, we won’t wait for those conclusions but we’ll stick into this Bill all this new capacity to collect communications data”.
Mention has been made of the capability gap. The 2012 committee report said that the Government failed to share with the committee the research findings behind their assertion of a then 25%, going on 35%, capability gap, and that such a figure was “unhelpful and potentially misleading”. Therefore, we simply do not know what the capability is. My noble friend Lord Strasburger mentioned the revelations of the Tempora programme. I am not sure why we bother to legislate half the time, as GCHQ seems to go a great deal beyond the scope of any Bill.
The report also said:
“Part of the gap is the lack of ability of law enforcement agencies to make effective use of the data that is available”.
That is not my assertion but the assertion of a very thorough and wise Joint Committee report. I agree with it that addressing that ability should be a priority.
There was also mention of the failure to consult communication service providers and internet service providers, and there have been recent complaints, which I mentioned earlier, by the Internet Services Providers’ Association about the lack of consultation. Before any redrafted legislation is introduced, the Joint Committee recommended extensive and meaningful consultation,
“once there is clarity as to the real aims of the Home Office”,
which would be quite useful.
While I understand what the noble Baroness is saying about the various studies, does she agree that over six years, which is how long it has taken us to address this starting to lose data, is rather a long time? It is slightly longer than it took us to defeat Hitler, and it is a long time to keep on looking at other things. Do we not have to take some action if we are to achieve something?
I thank the noble Lord for that remark, but I understand that the Independent Reviewer of Terrorism Legislation has a target date of May—four months away—to produce his report. I am sure that we can wait four months.
I would also mention the huge expense that these amendments would produce. One can also query the value of a sunset clause. If hundreds of millions of pounds had been spent on the project by December 2016, it is likely that Parliament would say, “We have spent so much already, so we might as well carry on”.
The noble Lord, Lord King, quoted me as preferring targeted to blanket surveillance. What I meant was not what he has put forward in his amendments. He has removed some of the organisations, but I understand that there is still no specification that it is the security services and the police; the reference is to “purposes”. Other agencies could be pursuing matters for the purpose of serious crime, so the provisions would not be limited to the police and security services. By targeting, I meant not limiting it to certain “purposes”; I meant it to limit the scope of Amendment 79, which replicates Clause 1 of the draft Bill.
As my noble friend Lord Blencathra said, it was the huge breadth of that Clause 1, which is now reflected in Amendment 79, which was so objectionable. The Joint Committee said:
“It is hardly surprising that a proposal for powers of this width has caused public anxiety”.
Even the Intelligence and Security Committee said that more detail was needed on the face of the Bill, but that detail is not in the amendments put forward today. The Joint Committee concluded:
“Clause 1 therefore should be re-drafted with a much narrower scope, so that the Secretary of State may make orders subject to Parliamentary approval enabling her to issue notices only to address specific data gaps as need arises … We do not think that Parliament should grant powers … on the precautionary principle”—
the idea was that new ways of communicating would come along. That was an extremely wise conclusion, yet the amendments consist of precisely the breadth of that Clause 1.
The Joint Committee was particularly exercised over the possible requirement to keep web logs and, as the noble Lord, Lord Blencathra, said, wanted,
“Parliament to address and determine this fundamental question”,
specifically. Amendment 79 does not allow us to address that specific and fundamental question. In the mean time we are legislating on IP addresses in this Bill. Neither I nor any of my colleagues have objected to that, although we wanted to tease out some of the detail.
The Joint Committee also said that there were huge technical and civil liberties concerns about the collection of third-party data and the lack of detail on that in the Bill. The report states:
“United Kingdom CSPs are rightly very nervous about these provisions”.
They simply could not understand the implications of having to collect data from third-party suppliers who happened to cross their networks.