Investigatory Powers Bill (Second sitting) Debate
Full Debate: Read Full DebateChristian Matheson
Main Page: Christian Matheson (Independent - City of Chester)Department Debates - View all Christian Matheson's debates with the Home Office
(8 years, 8 months ago)
Public Bill CommitteesWe clearly have two excellent witnesses here, and I am sure that many colleagues will want to ask questions. Who is trying to catch my eye? Would Mr Matheson like to ask a question?
Q I remind the Committee that Mr McClure is known to me, as he is my constituent.
Good afternoon, Mr McClure. The case of your nephew obviously involved a criminal offence and was clearly terrorist-related. There have been suggestions, and we have heard evidence as a Committee, that the failure was not necessarily one of electronic intelligence, but of human intelligence and a lack of resources, because the security services were already aware of the then suspects—the people convicted of your nephew’s murder. How do you react to that?
Ray McClure: It is a bit of both, to be honest. The report by the Government into Lee’s murder, “Report on the intelligence relating to the murder of Fusilier Lee Rigby”, highlighted failings in the intelligence services and their processes. I do not know personally whether the recommendations have all been implemented, but I have got to assume that they have been, because they were taken very seriously.
Also, the report highlighted other major failings. The ones that caused me the greatest concern were those where the warrants issued by the UK Government were not complied with by American internet companies. [Interruption.] Sorry, I am going to pick up my notes. The report made it absolutely clear that the attack by the two murderers of Lee was planned on the internet; they made contact with people on the internet. Yes, opportunities were missed, but internet service providers failed to review any suspicious contacts and they did not obey UK warrants—they went out of their way to obstruct UK warrant providers.
Paragraph 401 says
“some overseas CSPs do not comply with UK RIPA warrants, as they do not consider themselves bound by UK legislation.”
That is a failure not of the security services, but of those other people—the internet service providers. Paragraph 457 says:
“The number of different forms of communication now available presents the Agencies with significant challenges in terms of their ability to detect and prevent terrorist threats”.
If the internet companies are not co-operating with the intelligence services, there is a big hole there—a big gap that needs to be plugged.
“CSPs based in the US have, for the most part, refused to recognise UK legislation requiring them to provide the content of communications on their networks: they do not consider themselves to be bound by the legal obligations set out in RIPA”—
warrants, etc.
To me, this is a big hole—a big issue. Being somebody from an IT background, I was horrified at some of the stuff I was reading. These companies—Apple, Facebook, Google, Microsoft, Twitter, etc.—are companies that we grew to respect, but the actions that they are undertaking now in not supporting the security and intelligence services, the forces of law and order, to prevent crimes like what happened to Lee, leave a big hole that has to be plugged.
Q You talk about the lack of co-operation from some of these large corporations based outside the UK. When considering your own investigations and inquiries surrounding the murder of your nephew, have you seen any evidence that that is quite a common trait?
Ray McClure: That is a good question. Yes, I have. I can give two very clear examples. One example is Microsoft, which has been fighting a warrant issued by the US Government to gain access to a drug dealer’s emails. It claims that, because the emails are not held on US territory, the US Government cannot have access to them. The emails are actually held in the cloud, and their physical location is in Ireland. Microsoft claims that the emails are a customer’s personal documents and that, because they are outside the US’s jurisdiction, the US Government and US law-enforcement agencies cannot access them.
That raises a big question mark. Today, when you send an email, you do not know where the physical data will be held—it is held somewhere in the cloud, but you do not know where. That creates a problem for all security and law-enforcement forces. Where does the jurisdiction lie for gaining access to that data? It is a black hole. It is wrong. Microsoft’s actions are protecting the drug dealer, not helping law enforcement.
The biggest concern right now—it is a very hot topic—is Apple’s stance over the San Bernardino terrorist. He killed 14 people, yet Apple refuses to co-operate with the FBI and allow it to access the data on his iPhone, which might help the police identify his accomplices. That is protecting terrorists, not helping law and order. Quite frankly, I am at a loss as to why the IT companies are so opposed and why they are fighting law and order as they are doing. It is wrong.
Q Looking at the specific provisions in the Bill, as far as you have been able to check them, are you satisfied that your concerns have been addressed, or was there something else that you were specifically looking for?
Ray McClure: I do not believe that this Bill is adding new powers to the police and the security forces; I think that it is clarifying the existing powers and bringing them together. It makes it a lot clearer where responsibility lies in obtaining warrants and what the powers are. I think that bringing that clarity is a major step forward. Yes, I am happy, and I urge you all to support the Bill. My only concern—it is a personal concern—is that, frankly, I would prefer warrants to be authorised by the judiciary, not by politicians, such as the Home Secretary, but that is my personal opinion; it is down to you guys to make the laws.
Can I make one other point about Apple and Microsoft? These companies are building solutions that we use every day. Let us be honest: these phones that we use today are brilliant, with the address book and everything else. But to make that a no-go area for law enforcement is wrong. There should be no such thing as a no-go area for law enforcement. If you cannot enforce the law, you have a situation in which you are protecting evil, and when you protect evil, evil will thrive, and that is wrong.
Thank you, Mr McClure. We have so many colleagues who want to ask you questions.
Ray McClure: Sorry, Sir.
Q Presumably you also welcome the right to review a technical capability notice and the commitment that there will be further discussion with you before you are obliged to meet obligations.
Mark Hughes: Yes, indeed, and not only that, but there is now on the face of the Bill a right of appeal to the Home Secretary if a notice is issued to us and we disagree with it. That has not existed in the past. In the past, under other legislation, we have had occasion to make representation, but it is much clearer in this Bill than it has been in the past.
Q Under the terms of the Bill, you are being asked to collect a large amount of data, some of which will be quite personal and some private. How confident are you of BT’s capability in terms of maintaining the security of those data from hacking or theft, particularly bearing in mind the fact that other communications service providers have been hacked into? When you consider the rest of the industry more broadly—without naming names—do you think BT is in a stronger position than other CSPs to maintain security against hacking or theft where there might be vulnerabilities elsewhere?
Mark Hughes: The security of any data we hold and retain is clearly a matter that we take extremely seriously. That is of the utmost seriousness for our organisation for any type of data. The type of data that the Bill refers to specifically is, though, perhaps different from other types of data that need to be interfacing the public on a bigger scale, for example. This is not that type of data; it is going to be restricted and allowed to be viewed by only very few individuals who have the correct authority to be able to get to the data when they need to.
The level of security applied to this type of data is clearly factored into the type of data that is being retained, so we have to put very significant security measures around it to ensure that the access is controlled properly and that the data are very secure when stored. That absolutely has to be factored into the cost and the way we operate. It is not something new. We are currently subject to laws and regulations under which we have to make sensitive data available, so we are used to doing it, but that clearly has to be factor in for, for example, some of the new datasets we are potentially going to be asked to retain under the Bill.
Q On the Joint Committee on the draft Bill and on the Science and Technology Committee, we heard CSPs talking about the level of engagement they have had from the Home Office, and we have heard from the Home Office that that has increased recently. That seems to tally with what you are saying. Could you give us a sense of the scale and extent of that engagement, and some reassurance that, in this fast-moving world, you are confident that the relationship is such that that engagement would be there in future as well, rather than it just being about getting the Bill to this stage?
Mark Hughes: We have had extensive periods of consultation and meetings on a very frequent basis. The Home Secretary has invited many of us representatives of the CSP community to meetings with her on two occasions before this, as well as to many working-level meetings with various Home Office officials. We discussed the technical, legal and procedural points about the proposed legislation as well, which is markedly different from how things have been before.
On the point about the future, which is important here, the Bill itself clearly specifies and puts in place a regime whereby consultation is enshrined in the legislation through the consultation process that has to happen before a notice is issued and, indeed, because the reconstituted technical advisory board can be called to come together at any time. That power did not exist in the past. The consultation is in a better place and I think that the Bill itself will help to ensure that that continues in future, because it will be a point of law.
With the permission of the Committee, I might suspend the sitting for 10 minutes at 10 minutes to 4 to allow people to have a quick break, because this is quite a long sitting. Is that with the permission of the Committee? Brilliant.
Q I have two questions. Mr Astley, there are two opposing schools of thought relating to this Bill. There are those of us who recognise the need to update the legislation as it is to provide protection for children against sexual abuse and to provide protection against terrorism, terrorist atrocities and terrorist threats, and at the far end of the scale are those who believe that there is an absolute right to privacy and that no price is worth paying to imperil that privacy.
The job of Parliament is to find the correct balance on the scale between those two extremes. I do not think it would be too difficult to find justification, for example, for the protection of children against sexual abuse or for the defence of the realm against foreign threats and foreign terrorists. Justify to the Committee, if you will, the use of some of these powers, limited though they are in the Bill, for offences at the lower end of the scale.
Mark Astley: From a local authority perspective, they are a small user of telecommunications data. It has never been abused or misused from a local authority perspective, but they investigate some quite serious crimes. We had a particular case of advance-fee fraud, which was worth £7.5 million.
If you look at the majority of the applications that local authorities make, an extremely high percentage in the last two years—96%—was purely for subscriber data, or what is currently known as “c data”. That is the basic information about the subscriber to a telecommunication service and sometimes that is the key information that investigators need. An example would be someone who is trafficking illegal tobacco and the shopkeepers they are speaking with only have a telephone number for the delivery person. Therefore, in order for people to investigate successfully, which they have the powers to do—provided by Parliament—it is important that they have that access.
Q Let me ask you then, finally, why in that case, if a crime is sufficiently serious, can the involvement of the police not take over the requirements for access to electronic communications data, as opposed to, for example, your members?
Mark Astley: Yes. As I have previously mentioned, our members are very highly trained; they are commensurate in some respects to what the police investigate. But they deal with their local community on a more local basis and they have the powers and expert knowledge, in particular about rogue traders, about illicit tobacco and about counterfeit items. They have that experience.
Q You could still handle those investigations and deal with them, but when it was apparent that they are of a sufficiently serious nature you can involve the police, who are then able to make the applications on your behalf, so you would not need access under the terms of the Bill.
Mark Astley: It is a valid point, but I believe that the powers are there for the trading standards, who do a really good job, and they have done an excellent job so far in dealing with high-level crime.
Q In the last year for which records are available, which I think is 2015, about half a million applications for access to comms data were made. About 0.4% of those were local authority applications.
Mark Astley: That is correct.