National Security Bill (Second sitting) Debate
Full Debate: Read Full DebateDamian Hinds
Main Page: Damian Hinds (Conservative - East Hampshire)Department Debates - View all Damian Hinds's debates with the Home Office
(2 years, 4 months ago)
Public Bill CommitteesQ
Sam Armstrong: The problem is that it is so broad, in that there are problems even in this building. The security services will tell you privately that—far beyond Christine Lee, who obviously was named—there are agents of the Chinese state here who are known to the security services and in whom they have taken an active interest.
There are huge problems in academia; China has made no secret of its interest in academia. When the Zhenhua database leak happened a couple of years ago—this was a database that China was using to identify potential targets of intelligence activity—it was no surprise that they had targeted think-tanks and academics very carefully.
The third and final area that China is very, very interested in is anything related to technology, and to the areas that it would like to obtain and that it set out in its “Made in China 2025” programme. Those areas are twofold. The first is universities and open research. There are researchers in the UK right now who are, frankly, working with branches of the Chinese navy to come up with devices to track nuclear submarines around the world. That is as dangerous as it comes to our national security, and that work is going on in the open. I am also aware of British companies that are making engines—or casings for engines in this case—that they have admitted are good for nothing other than for engines in tanks. There are grievous concerns about the whole level.
Where do you start first? Well, that is a choice between those that are dangerously undermining our national security and tech, and those that are dangerously undermining our democracy in accessing this building and in terms of the influence and space in which they are influencing our democratic process.
Q
Carl Miller: One suggestion that I was going to make today was that we have nothing like a comprehensive picture. This is often extremely sporadic project-based research, and it is usually platform-specific, even though we know that, in all likelihood, that is not how the campaigns work—they will work across tonnes of platforms all at once. We will see only certain kinds of campaigns. We are broadly better at seeing broad-based campaigns addressing quite large slices of a population, but again, if we were to put ourselves in the mind of an influence operator, there would be much more targeted campaigns directed towards—if you will—higher-value targets as well.
What we know about scale is that many more countries than those we talk about are doing it. I understand that in the last Indian election, accounts attributable to every single mainstream political party were taken down by Facebook during that campaign. It has emerged as an almost mainstream campaigning tactic.
Q
Carl Miller: Yes. One of the reasons that I am hesitating is that, for researchers like me, clear and guaranteed attribution—outside the platforms—is unbelievably difficult, and I do not want to overstate. I can tell you that there are dozens upon dozens upon dozens of incidences, scenarios and narratives that we regard—reading the tea leaves of machine-learning patterns as we do—as suspicious. With the open data that is available to me, I cannot definitively link that back to a state. However, Twitter and Facebook, for example, have both disclosed dozens of campaigns that were—at least in part—likely targeting the UK, and linked them back to what they believe to be state actors.
Q
Carl Miller: No, there is not. In fact, I am sure it does, and that is one of the big trends we are seeing. We ran an effort over COP26, and we saw that there were certainly various kinds of organised attempts to manipulate big global thematic conversations about climate action, for instance. Given the barriers of entry into this world, I also do not think that it will be national elections; it might be quite small and local events that see some level of manipulation happening, too.
I will also point out one reality about how these work. One of the difficulties in seeing how the Bill—I am sorry if I have misunderstood this—might apply is its requirement that the actors involved have to be conscious that they are working on behalf of a foreign power.
Quite often, my suspicion is that you would have a state agency with various kinds of links with online actors, and there might be a whole chain, from a PR company to another more specialist digital consultant to a much spammier consultant, and that person might be the person reaching in and actually gathering together various kinds of functionalities, capabilities or services to do overtly illegitimate and malign forms of manipulation online. It might be very difficult; they might never know that a state is at the other end of the trail. With the companies that I mention—the ones selling large amounts of digital manipulation—I cannot believe that they do any kind of “know your customer” activity. I do not think that they have any idea who is employing them.
Q
Carl Miller: I cannot create a profile for how each state would approach information operations, to be honest. I do think that there is quite a high degree of heterogeneity among the actors involved. You have all kinds of different intelligence agencies, and military-based and political PR comms-based actors. One of the truisms is that it is a bit of a scattergun approach at the moment, where lots of things have been tried and they are attempting to evaluate them, and they do not really know which ones are succeeding and which are not. I am not quite sure if that is true or not.
The actual nitty-gritty of the techniques and technologies involved is probably the shadowiest part of this whole area. If the Bill were to be effective, something we need in parallel to it would be almost a digital influence version of the national risk register, where we have state support to pull apart and lay out where we think the genuine threats are and the genuine bodies of capability and technology that have been built to do this kind of stuff. It is very difficult for researchers in the open to do this by ourselves.
Q
Sam Armstrong: Yes. China initially began—there is some really interesting stuff that has only happened in the UK in this space. We had a university that for a very long time rather openly advertised itself as providing services and specialist media training to officers of the Chinese propaganda Ministry, among others—various branches of the Chinese state—right here in London, metres away from the BBC. You also have the Confucius centre picture, which is important.
Where China has actually done very poorly is in its direct Government-to-Government disinformation. Some of the stuff that you saw around “Wolf Warrior” or that the Global Times—its state international newspaper—puts out is very ineffective. What China is incredibly effective at is not really that disinformation or misinformation public communications picture, but identifying individuals of influence within academia, business or wherever, and building up close relations with them. They are invariably people of influence, who in turn use their own networks to say, “Well, look, I’d be careful of all this talk about China. They are the biggest-growing economy on Earth, we really need to trade with them and we shouldn’t do anything to upset them at any point.” In so far as I have seen, that is where the Chinese influence picture has been focused.
Q
Sam Armstrong: Yes, there are two things. The first is the foreign influence transparency register system. I note that there has been a promise that it is to come, but the devil will be in the detail on that because there is a series of policy judgments that have to be made—whether it is expansive, where the teeth bite and so on. It is incredibly important that it is seen quickly.
Secondly, there should be an ability for the Secretary of State, either of the Home Office or the Foreign, Commonwealth and Development Office, to intervene in known problematic institutional relations. There are excellent powers here, such as the individual prevention and investigation measures, but there is very little capacity when that is done more corporately—to go in and say not just to universities but to companies, which would be an expansion of the Australian power, “This arrangement is not in the UK’s interest, and we are ordering you to terminate it.” To say that is a glaring omission is perhaps overstating it, but those are the two powers I would really like to see.
Q
Louise Edwards: The intelligence community have not notified us of any successful attempts to interfere in UK elections. As I mentioned, the Electoral Commission is not a national security body—we do not have intelligence functions—so when it comes those matters, we receive the information rather than creating it or analysing exactly what it means.
Q
Louise Edwards: That is my understanding of what the intelligence community mean when they tell us that, yes.
Q
We talk in other contexts about regulating political advertising—meaning adverts placed by political parties that are registered under the Political Parties, Elections and Referendums Act 2000—but in reality, political parties’ advertising is a very small fraction of the total online influencing that goes on in the run-up to elections. What is your expert assessment of how the whole political arena is changing? How do our institutions and our legislative approach need to change to keep up?
Louise Edwards: That is a very interesting question—how long do I have? The political finance side of the regime—I will unpack what I mean by that in a moment—is very much focused on the concept of regular and routine transparency that is enhanced significantly around an electoral event—an election, essentially.
When we talk about the political finance regime, we are talking about a defined set of actors: registered political parties, third-party campaigners, candidates or other members of political parties, and those who have specific responsibilities under law, including regular donation-reporting obligations. For example, political parties have to tell us about their substantial donations on a quarterly basis, and we then publish all that information.
When it comes to elections, as I am sure you know, there is a period in the run-up to elections called the regulated period. Any spending on campaigning that happens during that period—obviously, it gets more intense the closer you get to polling day—also has to be reported to us and gets published so that people can see it.
However, you are right that that is only one side of the nature of influencing or of the wider concept of political campaigning in the UK. There are some really interesting questions there around whether it is sustainable to look only at detailed spending in the run-up to an election, when you might well argue that political campaigning these days is year-round rather than in the run-up to particular polls.
There is also another side to it: how do you define regulated political campaigning and the spending that has to be reported? Back in 2018, we did some work with voters looking at what they thought about online campaigning specifically. One thing we found was that quite often voters did not realise that something they saw online was actually trying to influence their vote, because it was not immediately obvious on the face of the piece of literature that that was what was happening.
In terms of how things might change or develop in the future, there was a bit of thinking done about this in the Elections Act 2022, which introduced what we call “digital imprints”. They are a little bit of text that goes on a message online and says, “This was produced by this person, on behalf of this person, paid for by this person,” so you can see that it is a political advertisement. It is that level of detail and transparency that now needs to be applied.
Q
Louise Edwards: It applies to anybody who is putting out regulated political material, so it would be political parties, third-party campaigners and candidates. The regime is fairly comprehensive, although not entirely comprehensive. I realise I am going slightly outside the scope of this Bill, but there is opportunity to make it more comprehensive and to really make it clear to voters every time they see a little bit of campaign material online who is paying for it. So it is those established actors who are—
Q
Louise Edwards: Yes.
Q
Louise Edwards: You have hit upon one of the hardest issues here. Broadly speaking, people who are within the regime already—the established actors we have been talking about—comply with the law. Many of them, in fact, already put digital imprints on their online material, even though it is not yet a legal requirement to do so. The challenge is those who are perhaps based overseas or who do not want to play by the rules, basically. There are real enforcement challenges there, particularly when you are thinking about organisations or individuals based overseas.
If I go back to the recent Elections Act, one of the provisions that the Government brought in at that point was to lower the spending threshold in elections for people who are based overseas to £700: if you are an overseas entity, you can spend up to £700 campaigning in our elections, then that is it—that is your spending threshold. The problem is that, from our point of view, that can only really be symbolic, because it is virtually impossible to enforce spending at that low level. Even if we were to identify an overseas organisation spending in UK elections, they are overseas, so we have no enforcement powers that we can use to try to stop them.
I am painting a fairly awful picture, but there are some ways to tackle it from a slightly different perspective. For example, we have recently started launching a campaign before elections that is helping voters to look at online material with perhaps a more critical eye, to try to assess whether they should let it affect their vote and to give them a place to find out how to express concerns about that material, with the hope then being that we can perhaps raise confidence in legitimate digital campaigning while at the same time giving people an outlet if they see something they think is illegitimate. There is also a fair amount of work that you could do around political literacy at a very young age with voters, to help them to have that kind of critical perspective.
You mentioned the registration schemes. As a civil political finance regulator, our remit does not extend to matters of lobbying and influence, but one thing I would say, if I may, is that when it comes to the integrity of our democracy and voter confidence in it, transparency is key. Any registration scheme that brings more transparency around who is seeking to influence those involved in our democracy can only be to the benefit of the confidence of voters.
Q
Professor Ciaran Martin: Why is so-called data sovereignty such an issue? There are all sorts of reasons in economics, but one of them is that the location of the storage of data is really important. Data centres are massive strategic assets and a vulnerability for any sort of country, and you can see that combined effort. Why did we have such a big debate about the role of Chinese technology in UK infrastructure? It is because of the potential—never mind 5G and so on, but rather in things like smart cities—for data to be siphoned off covertly and so forth. It is possible.
There are stats to show, if you had compromised the International Atomic Energy Agency in Vienna and you went in there, how much you could photocopy versus how much you could steal electronically. There is now the possibility and, in some cases, the practice of comprehensive strategic compromise of huge, important datasets and sensitive strategic knowledge across all sorts of sectors by a combination of mostly digital but sometimes human-enhanced means. Until now, as you say, Mr Hinds, we have not really had a legislative framework for it. This Bill does provide a no doubt improvable such foundation.
That brings us to the end of this section of questions. On behalf of the Committee, I thank our witness, Professor Ciaran Martin. Thank you very much.
Examination of Witnesses
Dr Nicholas Hoggard, Professor Penney Lewis and Rich Owen gave evidence.
Q
Professor Penney Lewis: Sadly, no. That was not within the scope of our project. It really exceeds the focus of our project on official Government data, so we did not make any recommendations in relation to those kinds of powers and we do not have a view.
Q
Rich Owen: We think the solicitors’ profession should be subjected to the scheme in just the same way as any other, although we would like an exception on grounds of legal professional privilege. This is an ancient common-law right going back 400 years or more. It is also regarded as a human right and as a corollary of everyone’s right to receive legal advice and assistance and we feel it plays a crucial role in the proper administration of justice.
To be clear on what we mean by legal professional privilege, it is communication between a client and lawyer whose dominant purpose is to seek legal advice, or a communication between a client and lawyer in anticipation of pending or actual litigation. We therefore think that if there is a foreign influence registration scheme without legal professional privilege, then solicitors acting for foreign states or foreign state-related actors, such as companies controlled by or influenced by foreign states, would have to disclose documents. We think that profoundly compromises the rule of law and the fairness of trials, and will affect the relationship between client and lawyer.
I think it is easy to forget that legal professional privilege is not a privilege for solicitors or lawyers; it is for the client. Of course, clients want to be open with their lawyers when they are seeking advice, and we think this scheme would inhibit that openness. Of course, very often, the reason why they want to be open with their lawyers is that they want to know how to comply with the law, rather than breach it. That is why an exemption is needed in any such scheme.
Q
Rich Owen: It is important to know the limits to legal professional privilege. It cannot be used to further a crime—because of the so-called “crime-fraud exception” or the “iniquity exception”—so if a solicitor advances an assertion of legal professional privilege in bad faith, then they are not in a privileged situation and could potentially be charged with conspiring to pervert the course of justice.
Legal professional privilege would complement any scheme. The Home Office consultation on a possible scheme said it would respect the human rights framework. That privilege is an ancient common-law right. It is has also been recognised as a human right. The consultation also said that a scheme would not interfere with legitimate activities. It would be a legitimate activity to seek advice from your lawyer and not have that advice disclosed. If anyone was furthering that for espionage purposes, then that would not be a privileged situation; they would be acting outwith legal professional privilege.
Q
Rich Owen: Yes. Well, we are looking for something similar to the Australian scheme. The Australian legislation specifically exempts legal professional privilege, as well as seeking legal advice and assistance. That sort of model, which expressly exempts legal professional privilege, would be a suitable way forward for the scheme.
Q
Dr Nicholas Hoggard: You can, although I am afraid I will have to be very boring. Speaking with my Law Commission hat on, we are limited in what we can say with respect to those things that did not form part of the scope, regarding the protection of Government data. I am very sorry; I do not mean to be deliberately unhelpful, but we do not really—
Q
Professor Penney Lewis: I am sorry but I am going to be very boring again. The offence in clause 3 is not the implementation of one of our recommendations. It is one of the offences that was outside the scope of our project. The main espionage offences that are in the existing Official Secrets Act, which implement our recommendations, are in clauses 1 and 4 of the Bill.
Dr Nicholas Hoggard: I will add to that without going outside our own remit, but thinking more broadly about the distinction between UK interests and Government interests. To re-emphasise a point that Penney made earlier, the essence of espionage offences lies in that purpose prejudicial. That is why we see in those offences that have the purpose prejudicial element—where your purpose is prejudicial to the safety or interests of the United Kingdom—that the sentence is so much greater.
The mens rea—the fault element—of those criminal offences lies in that purpose prejudicial. You need not only your purpose but to have known, or ought to have known, that your purpose was prejudicial to the safety or interests of the UK. Also, you must have known, or ought to have known, that you were acting to benefit a foreign power on behalf of a foreign power. Taken together, it is that essence that makes those offences substantively different from the sort of behaviours that might embarrass a Government—or a Government Minister. That sort of thing often falls for consideration within unauthorised disclosure offences, but it is not really the meat of an offence focused on the active interference with the proper safety or interests of a state.
Regularly throughout the project we met with a number of the UK intelligence community in Cobra with the Government security group. The evidence we heard of the nature of hostile state activity does not really have a bearing on the sort of material that sometimes gets disclosed that might embarrass Government Ministers. They are two quite different creatures.
Q
Professor Penney Lewis: Maybe I will start with the high level and then Nick can come in with a bit more detail. I should preface my answer with a slight caveat. This project started in 2015. Nick joined the Law Commission in February 2019 and I joined in January 2020, so while we were heavily involved in the final report, neither of us were involved in drafting the consultation paper or in the consultation period, which happened in 2017. None the less, we have read the consultation responses, and I can also talk slightly more generally about how we go about doing a consultation.
We were asked to take on this project. The way we work is that we undertake a pre-consultation investigative phase where we talk to stakeholders. That involved Government stakeholders, including Government security stakeholders. We talked to a lot of academics who work in this field. We talked to the media, because obviously they were particularly interested in the 1989 Act, and various organisations that are interested in freedom of expression and open government. We then drafted a consultation paper, which contained provisional proposals for reform. We put those out to public consultation. We had a three-month consultation period, and we had a number of consultation events during that. At the same time, we are continuing to talk to Government security colleagues, as Nick mentioned.
We eventually came to an agreement with Government security colleagues about how they would brief us about the details of the threat facing us without us then being in a position where we would have to say in our report, “Well, we have heard all this secret evidence. We can’t tell you what it is, but trust us that these are the recommendations we think will safeguard the security and interests of the UK”, and without also putting the security and interests of the UK at risk. We agreed a confidential briefing process that involved Nick and me. We then also agreed the disclosure by Government of hypothetical examples that they had drafted to represent the real threats that they told us about confidentially and securely.
Throughout the report, there are hypothetical vignettes that illustrate particular risks. Those are the Government and intelligence services’ creatures, but they were the way in which we were able to reflect the reality of the threat. We then considered the consultation responses and the information we had had from the Government security group. We actually changed a number of things we had said in our consultation paper, so in between the provisional proposals and the recommendations there are a number of significant differences, particularly in relation to the 1989 Act. We then published a report in 2020, which contained our final recommendations for reform.
Dr Nicholas Hoggard: I will go into some specifics of what we learned, which is generously open-ended. What Penney says is correct; there were a number of changes that followed the consultation paper, come the final report. One of the major reasons for that was our engagement more substantively with confidential material and representatives from the UK intelligence community—UKIC—and across a number of Departments. It became increasingly clear to us that the scale of the threat was of an order of magnitude that, even in relatively recent integrated reviews, had not really been reflected. That scale really comes from the cyber-threat. I do not want to repeat what far more sophisticated witnesses said earlier in respect of that, but it also became increasingly clear to us that the way in which very capable state actors were wielding that cyber-threat meant that certain of the original provisions we had made needed to be reconsidered.
One example of that would be the extraterritoriality provisions, both in relation to the espionage offences and the unauthorised disclosure offences. The nature of the way in which cyber-information is held—of course, cyber-information now basically means all information—has changed. The existing offences under the 1911 Act and its ancillary Acts are now almost quaint in the way that they perceive espionage as something that happens on our territory. Of course, that is simply not the case anymore. These extraterritoriality provisions, though relatively unusual for criminal offences, are none the less vital if we are to capture the sort of behaviour that we see now. I think the process we went through in engaging with UKIC was actually vital for the understanding of, and background to, some of the recommendations that we made.
If there are no further questions, can I thank our witnesses? We will now move to the next panel.
Examination of Witness
Poppy Wood gave evidence.
Q
Poppy Wood: That is a brilliant idea. It goes back to the point about grip. We are seeing really good work being done by the Home Department and the Department for Digital, Culture, Media and Sport. I think the DCMS counter-disinformation unit is an important tool, but it is very small, as is DCMS, and it is lacking the transparency that such interventions require. It should probably be a body like the Intelligence and Security Committee—some kind of cross-party body, quasi-independent of Government, thinking about the issues, with input from expertise in the relevant services and relevant Departments. I know that the Home Department and DCMS work together closely on this, and I think the Cabinet Office also has a role to play. Instinctively, I feel that something like the ISC would be the best place for it, but I am sure that is to be worked out.
One of the issues with a lot of this stuff is the role of the Executive, and making sure that the body is that far removed from political interference.
Q
Poppy Wood: Absolutely. If you are suggesting that they respond to PR crises, I would agree with you on that one. Of course, this about brands. We have seen with revelations from Frances Haugen that Facebook is not understaffed but just not focusing them in the right direction on this stuff. There are only handfuls of people focusing on co-ordinated disinformation for the whole world within these big technology companies. It should be dozens, especially if they are hiring 10,000 engineers for the metaverse in Europe. They can put some of them on elections and tracking. They say that they go far, but they could go much further. When there is pressure on them, they respond, and so far that pressure has been PR because there has not been regulation.
Q
Poppy Wood: We do not know, because we have not got the transparency. They may seem to have got better, but as a percentage of what, we cannot know. They will say that it has got better and that they have caught this many thousand as opposed to that many thousand last time, and those accounts have been taken down, but we have no idea if it is a percentage of what. That is why people, such as Frances Haugen, who have come forward as whistleblowers to say, “They are telling you this, but the data says that,” show that we should not be relying on those people. I am sure we will come on to the whistleblowers, but there have to touchpoints much earlier on, from civil society, from Government, from researchers, to say “Hey, actually, the scale is much larger,” or, “You’re not even looking at this stuff.”
London is one of the most linguistically diverse cities in the world, and when we are talking about counter-terrorism speech, one of Frances’s revelations was that 75% of counter-terrorism speech was identified as AI—it is terrorism speech, so it is taken down. We are thinking about the UK as an English monolith, but there is plenty of linguistic diversity that puts us at risk when those platforms are weaponised in elections, focusing on diaspora and so on.
I would hope that the platforms have got better, and I would like to give them the benefit of the doubt, but the truth is that we just do not know.
Q
Poppy Wood: I would challenge the first assumption that you can see what you can see on Facebook. They still view that as private information. Researchers cannot get access to that unless they kind of beg, borrow and steal. I understand the question—
But you can see public postings on Facebook. That is my point.
Poppy Wood: On your page, you can, but researchers cannot.
But that is still more than you can see on WhatsApp, where you cannot see a post at all.
Poppy Wood: That’s true. I suppose I would say they could do much more about transparency just about the public posts—that is my first point. Secondly, on encryption, there are concerns about some of the amendments in the Online Safety Bill and what that really means for encryption. I know we are not here to talk about that Bill, but encryption is an important tool. We know that those spaces are misused, but we need to be really clear about some of the benefits that encryption offers to lots of people, particularly the security services, for sharing information safely. We need to be careful.
Q
Poppy Wood: Let me give you a good example on Russia Today. We do a lot of work and analysis around Russia and Ukraine. Obviously, Russia Today was taken down from most national broadcast networks. It has been resurrected multiple times on social media. This week, we saw it resurrected with another name, like “Discovery Dig” or something, on YouTube, where lots of the comments, imagery and language were directing people to Telegram channels where they are actively mobilising.
What we see in the active mobilisation on Telegram channels is the outing of national security agents, the putting up of email addresses of politicians and saying, “Target them and say they are on the wrong side of the debate,” or, “Write to this national newspaper.” In all three of those examples, it is predominantly in the UK. They are telling them it is all fabricated. They are absolutely weaponising those private spaces. As you say, it is quite hard to get into them—but actually, it is not that hard. They are pretty open channels, with thousands and millions of engagements and followers. That is the scarier bit. They are private, but you are getting tens of millions of people and engagements on them. I am not sure that is the true definition of private, but it is certainly in an encrypted space.
Q
Poppy Wood: The role of whistleblowers in society is really important. I know the Government understand that. There are some good recommendations from the ISC about whistleblowers that I do not think have been adopted in this version of the Bill. That is about at least giving some clarity to where the thresholds lie, and giving a disclosure offence and a public interest defence to whistleblowers so they can say, “These are the reasons why.” My understanding is that at the moment it sits with juries and it is on a case-by-case basis. I would certainly commend to you the recommendations from the ISC.
I would also say—this was a recommendation from the Law Commission and also, I think, from the ISC—that lots of people have to blow the whistle because they feel that they do not have anywhere else to go. There could be formal procedures—an independent person or body or office to go to when you are in intelligence agencies, or government in general or anywhere. One of the reasons why Frances Haugen came forward—she has been public about this—is that she did not really know where else to go. There were no placards saying, “Call the Information Commissioner in the UK if you have concerns about data.” People do not know where to go.
Getting touchpoints earlier down the chain so that people do not respond in desperation in the way we have seen in the past would be a good recommendation to take forward. Whistleblowers play an important part in our society and in societies all round the world. Those tests on a public interest defence would give some clarity, which would be really welcome. Building a system around them—I know the US intelligence services do that; they have a kind of whistleblower programme within the CIA and the Department of Defence that allows people to go to someone, somewhere, earlier on, to raise concerns—is the sort of thing you might be looking at. I think a whistleblower programme is an ISC recommendation, but it is certainly a Law Commission recommendation.