(7 years, 11 months ago)
Lords ChamberI completely take the noble Lord’s point. It is early days to be thinking in those terms, although he is right to do so. It is encouraging that the November IAEA report to the board of governors confirmed that Iran remains compliant with the nuclear-related measures set out in the joint comprehensive plan of action. We welcome the findings of the DG’s report. We praised the IAEA for its progress and continued work on that very challenging task, but no doubt lessons and messages will emerge from that strand of work.
My Lords, the noble Earl has talked about the need to move towards multilateral disarmament, but there are stocks of fissile material in various parts of the globe. How confident is he that those stocks, which could be turned into nuclear weapons, are sufficiently secure to avoid them falling into the hands of aspirant nuclear powers or, worse still, non-state actors that might wish to possess such materials?
My Lords, that is clearly a constant concern and the noble Lord is right to raise it. Against that background, the UK continues to push for the early start of negotiations, without preconditions, on a fissile material cut-off treaty in the Conference on Disarmament. We supported a Canadian-backed resolution at the United Nations first committee on that topic, in October. In this country we have a voluntary moratorium on the production of fissile material for nuclear weapons or other explosive devices. We have not produced fissile material for nuclear weapons since 1995.
(8 years ago)
Lords ChamberWe come back to the test of reasonable practicability here. I am about to come on to what the Bill does not provide for on encryption and I hope that this will help the noble Lord.
The Bill does not ban encryption or do anything to limit its use. The Bill will not be used to force providers to undermine their business models, to create so-called back doors or to compromise encryption keys. It will not be used to prevent new encrypted products or services from being launched and it will not undermine internet security.
I am very grateful for the detailed exposition that has been given. The Minister says that the Bill will not be used to do those things. Can he confirm that it cannot be used to do those things?
My Lords, some noble Lords have suggested the Bill’s provisions cause a weakening in encryption, which I think is the central point that the noble Lord is getting at. Many of the biggest companies in the world rely on strong encryption to provide safe and secure communications and e-commerce, but retain the ability to access the content of their users’ communications for their own business purposes, such as advertising, as we have heard. These companies’ reputations rest on their ability to protect their users’ data. This model of encryption can, and does, maintain users’ security. I do not think that anyone would dispute that.
Before I come on to the individual amendments, it would be helpful to address a number of specific points that were raised in relation to encryption. There was a suggestion that a company should never be asked to do something that it does not already do. Such an approach would of course, at a stroke, remove our ability to use any of the powers in the Bill, including carrying out any interception of terrorists’ and serious criminals’ communications, because companies do not do this in the normal course of their business.
There was a suggestion that equipment interference would do away with the need for these provisions. It will not. Equipment interference is no substitute for having a company’s assistance. Even if it were, there are only a very small number of very clever people who are able to carry out equipment interference. There will never be the capacity to deploy them on each and every operation.
Finally, there was a suggestion that encryption is not a problem for the security and intelligence agencies. The heads of those agencies have repeatedly made clear that ubiquitous encryption is one of the most difficult challenges they face.
I now turn to the individual amendments, because I hope that this will clarify the picture further. Amendment 251 seeks to preclude an obligation to remove encryption from being imposed under a technical capability notice in relation to end-to-end encrypted services. I hope that the points I have already made make clear why the proposed amendment is not necessary and indeed why it is not desirable. As I have set out, the Government recognise the vital importance of encryption. Nothing in the Bill does anything to limit its use, and that of course includes the use of end-to-end encryption. But I have also set out the dangers of creating a guaranteed safe space online for those who would seek to do the public harm such as terrorists and other serious criminals, and I am afraid that that is exactly what this amendment would do. The amendment seeks to make explicit provision in law for there to be certain online services that criminals can use to go about their business unimpeded with no fear of being caught. That is not a position that any responsible Government or, I hope, Parliament could support.
What we must ensure is that the Bill enables us to work collaboratively with individual telecommunications operators to establish what steps are reasonably practicable for them to take, considering a range of factors including technical feasibility and likely cost. Any decision will have regard to the particular circumstances of the case, recognising that there are many different models of encryption, including many different models of end-to-end encryption, and that what is reasonably practicable for one telecommunications operator may not be for another.
As I have already said, this is not about asking companies to undermine their existing business models; it is about working with them to find a solution to ensure both that their customers’ data remain secure and that their services cannot be exploited by individuals who pose a threat to the UK. So in answer to the question put by the noble Lord, Lord Harris, I can confirm that these provisions cannot be used to introduce back doors or undermine internet security.
We already have a wide range of safeguards which I have listed. I do not see that it is necessary to go down the road the noble Lord is advocating because of the dangers that I have pointed out. These amendments would create safe spaces which I am sure that neither he nor any noble Lord would desire to occur.
My Lords, I am enormously grateful to the noble Earl for his detailed response and for reiterating the welcome and voluminous safeguards that are set out in the Bill. They are important and valuable, and they give me confidence about the context of the whole Bill. However, the argument with which he concluded does not quite hold together and there is an elision between different issues. The noble Earl has given an absolute assurance, I think on the basis of a piece of paper that was handed to him, that it cannot be used to require a communications service provider to build a back door or to create one in a future area. But then he said that we must not put in the Bill something that creates a safe space. Either the Government’s position is that this cannot be used to require a company to produce a back door, in which case the safe space exists and presumably the Government are not happy with their own legislation, or it is the case that the Bill could require a communications service provider to build such a back door.
We have already heard from the noble Lord, Lord Evans of Weardale, that what we are trying to do here is balance two national security concerns: the national security concern to prevent terrorism and so on and the national security concern about making it slightly easier for cybercriminals. These are very important issues. If the Government are clear that, as a result of the Bill, a technical capability notice could not require an operator to build a back door that would otherwise not exist, it is important to set that out in the Bill. If we are in a position where techUK says—as it has in the briefing it circulated to me and, I am sure, to other noble Lords—that this is ambiguous, perhaps it is the responsibility of the Government to remove that ambiguity and make the position clear. I do not really want to have to divide the House on this matter, so between now and Third Reading, is the noble Earl prepared to turn the unequivocal assurance he has given that it cannot be used in this way into an amendment to the Bill that will remove that ambiguity?
With the leave of the House, I hope I can help the noble Lord on this because I do not believe that the Bill is contradictory. First, the term “back door” has been used, but I do not think that is a helpful or accurate way of describing the Bill’s provisions. “Back door” is in everyone’s judgment a loosely defined term. It is used incorrectly to imply that the Bill would enable our law enforcement, security and intelligence agencies to gain unrestricted access to a telecommunications operator’s services or systems, thereby undermining the security of those services—to force that to happen. That is absolutely not the case. The Bill enables our agencies to require telecommunications operators to remove encryption themselves, only in tightly defined circumstances: where they have applied the encryption themselves; where it has been applied on their behalf; where it is reasonably practicable for them to remove it; and where doing so is required to comply with a relevant warrant, notice or authorisation.
I come back to the point I made earlier. This is about the Government being able to sit down with companies and reach agreement with them on the basis of what is reasonably practicable, affordable and so on. It would not be responsible for any Government to deny themselves the possibility of doing that and discussing what in all the circumstances is reasonably practicable for the company, and for the company to agree to do it.
Again I am grateful to the noble Earl. I do not think anyone here has misunderstood the point that this is not about giving the Government uninterrupted access. It is about requiring companies to create a facility so that if they are asked, after all the suitable warrants have been gone through and all the safeguards have been fulfilled, to gain information and pass it back to the Government. I accept that that is the position and that is what is intended here. However, the Minister has still not been unequivocal on whether technical capability measures could require such a facility to be created, so that, in those circumstances and with all those safeguards in place, something could be done. It is a critical issue that we need to clarify. Otherwise, we do not know where we stand as far as the amendment is concerned. The Minister needs to provide the House and the IT industry with as much clarity as he can on this point, because the danger is that it will become the subject of continual argument.
Were the Bill to be amended by any of the amendments in this group, the Government would still have the option to say that they were minded to serve a technical capability notice on a particular company. That would then trigger a series of discussions, because it is what the Bill provides for, and a communications service provider might come back at that point and say, “Look, we literally cannot do it. We do not have the facility”. However, it is not clear whether the Government could none the less say, “Well, we understand that, but we are requiring you to do it”. The question then is: what is or what is not feasible? I happen to believe that some of the biggest communications service providers in the world have more computing expertise than any nation state. If they are told, “You are legally required to do this”, they could do it; they could find a way of making it happen. We have to be explicit as to what the Government’s expectation is. Are they saying, “No, that is not what we are requiring”, or are they saying, “Well, we might”? If they are saying, “We might”, that clarifies the position, if not helpfully. If they are saying, “No, we are not”, which is what the Minister said earlier, perhaps we could put that in the Bill—if not in the form of words proposed, then in some form of words that the Government could craft between now and next week. That would be a helpful way forward and provide absolute clarity as to the extent to which technical capability notices could be served. If I am not able to get that assurance from him—I appreciate that bits of paper have been flying backwards and forwards between him and the Box—we are in a very difficult position.
I can state categorically to the noble Lord that it is absolutely not the case that the Bill would force a company to insert a back door, thereby undermining internet security. We might ask a company in certain circumstances to decrypt particular data if it was reasonably practicable and feasible for them to do so.
My Lords, I understand that that is the case; that is, if they have the encryption key—we will not use “back door”; we will find another form of words—and the capability to do it, and it is not too complicated and all the relevant warrants are in place, yes, they will do that. As I understand it, most tech companies are perfectly understanding of that and willing to do it. The question is whether, if the Government were presented with a situation they were concerned about, they could say to one of the biggest communications service providers in the world, “We are asking you to build something which is not there at the moment, but we’ll provide that facility for those circumstances that might arise in the future when we’ve gone through all the relevant warrants and so on”. I am looking for an assurance from the Minister that that is not sought here, because of the dangers that we have already discussed. If he wishes, I can reiterate the question to give the Minister the opportunity to read the piece of paper that has just arrived.
Of course, a technical capability notice can require a new capability to be built; that is what they are there for. If it was neither practicable nor feasible, they would not have to do it. The problem here is that it is very difficult to generalise, because any decision about these things would have to have regard to the particular circumstances of the case. As I said, there are many different models of encryption, including many different models of end-to-end encryption. Any decision has to recognise that what is reasonably practicable for one telecommunications operator may not be for another. That is why I have referred repeatedly to the need for the Government and industry to have that easy interchange which they do at the moment. It is important to emphasise that these powers already exist in law today. We should not do anything that undermines the basis for the constructive discussions that we are having.
The Minister reminds us that the ideal arrangement is one of easy interchange and discussion—I understand that that carries on and works very well. He is right to say—this is why the wording of the current legislation is ambiguous and therefore a problem—that building a technical capability could mean simply putting in a piece of equipment, which means that, at the point at which the Government ask, having gone through all the voluntary processes, it is quite a straightforward matter to provide the information that the Government have legitimately and lawfully requested. That is one definition of technical capability.
What I want to know is whether “technical capability” could apply to a very secure end-to-end encryption process which no communications service provider could break but where, if they devoted thousands of person hours in California or wherever they operate from, they could develop something which might do that. If that is what the Bill is saying, we need to know.
I accept that it would not be reasonably practicable; it would also be very expensive—as I understand the Bill, the Government would have to pay for it and I am sure that technical experts in California or wherever might be very expensive. If that is the case, and if it is not possible to write it into the Bill—I would have thought it could be—it would be helpful for the Minister to write and make very clear what the Government’s intentions are in that regard and confirm that such circumstances are precluded by the Bill. If the Minister is prepared to do that, I am prepared not to press the amendment to a vote.
I think I have made the Government’s position as clear as I possibly can and I am not sure what I can do to amplify the remarks I have already made. While I want to be as helpful as possible to the noble Lord, I am struggling to see how a letter from me would make the position clearer.
I understand the Minister’s dilemma and I am sure that a letter from him to me would have far less force than the words appearing in Hansard. I appreciate that the courts can look at the debates in Hansard to try to interpret them. However, I ask that the Minister spends the next few days just thinking about some further modification to the Bill to make sure that this ambiguity, which I think genuinely exists—because techUK tells me so—is cleared up. On the basis that I am sure he will spend his waking hours between now and next Monday thinking about precisely these matters, I beg leave to withdraw the amendment.
(8 years, 4 months ago)
Lords ChamberMy Lords, first, I should draw attention to my interests in the register on policing and counterterrorism matters. Secondly, I should make clear that my starting point on the Bill is that it is important that the developing gaps in access to communications data are addressed to protect the nation against all sorts of threats.
In any set of counterterrorism or counterespionage measures, or whatever else it might be, you have to look at the balance and weigh the benefit to the nation in protecting its citizens by having those powers against the potential downside or consequences of exercising them.
When we come to the question contained in this group of amendments—essentially about enabling or requiring companies to break the apparent encryption—we have to look carefully at the potential downsides presented by this. The first downside, or danger, is that by enabling this to happen—by creating the mechanism and requiring companies, as my noble friend Lady Hayter said, to make new arrangements so that encryption can be broken—you create a back-door mechanism. This would be available not just to the forces of good—those who are trying to protect all our security—but to cybercriminals and those who would do us ill. Therefore you need to weigh clearly what you are trying to do against whether you are creating something that will make it easier for criminals and those who would do us harm.
The second element is the extent to which what we do in this country sets a precedent that will be seized in other countries, whose interests may not be the same as ours or as positive as ours towards their citizenry. If we create that precedent, what is to prevent Governments in other countries saying that they want the same powers and therefore doing the same? That test has to be applied to quite a number of the measures in the Bill. As I say, my starting point is that I want the state to be able to fill the gap in its access to communications data that is emerging and opening up. However, I want to hear from the Government a clear explanation of why in this set of cases the benefits outweigh the potential disbenefits.
My Lords, a number of amendments here separately seek to remove the encryption provisions from Part 9 or propose modifications to them.
I will begin with Amendments 92, 102 and 103, which propose removing the encryption provisions from Clauses 226 and 228. If these are anything other than probing amendments, I have to say that they are irresponsible proposals, which would remove the Government’s ability to give a technical capability notice to telecommunications operators requiring them to remove encryption from the communications of criminals, terrorists and foreign spies. This is a vital power, without which the ability of the police and intelligence agencies to intercept communications in an intelligible form would be considerably diluted.
Let me be clear: the Government recognise the importance of encryption. Encryption keeps people’s personal data and intellectual property secure and ensures safe online commerce. The Government work closely with industry and businesses to improve their cybersecurity. However, law enforcement and the intelligence agencies must retain the ability to require telecommunications operators to remove encryption in limited circumstances—subject to strong controls and safeguards—to address the increasing technical sophistication of those who would seek to do us harm.
Encryption is now almost ubiquitous and is the default setting for most IT products and online services. If we do not provide for access to encrypted communications when it is necessary and proportionate to do so, we must simply accept that there can be areas online beyond the reach of the law, where criminals can go about their business unimpeded and without the risk of detection. That cannot be right.
These provisions simply maintain the current legal position in relation to encryption and go no further. They retain the ability of law enforcement and the security and intelligence agencies to require companies to remove encryption that they have applied, or that has been applied on their behalf, in tightly prescribed circumstances. It would not—and under the Bill could not—be used to ask companies to do anything that it is not reasonably practicable for them to do.
The safeguards that apply to the use of these provisions have been strengthened during the Bill’s passage through Parliament. First, the “double-lock” authorisation process now applies to the giving of notices, which means that a judicial commissioner must approve the Secretary of State’s decision to give a notice. The Secretary of State must also consult the relevant operator before a notice is given. The draft codes of practice, which were published alongside the introduction of the Bill, make clear that should the telecommunications operator have concerns about the reasonableness, cost or technical feasibility of any requirements to be set out in the notice—which includes any obligations relating to the removal of encryption—it should raise them during the consultation process. Furthermore, the new privacy clause in the Bill requires that regard be given by the Secretary of State to the public interest in the integrity and security of telecommunications systems when deciding whether to give a technical capability notice.
My Lords, can the Minister clarify for me—I am sure that other noble Lords have got to the point precisely—that the requirements that the Bill seeks to create will apply only where a service provider has offered a service which most people might assume is secure and encrypted but has built in an existing arrangement which allows it to access it? Would it apply only in those circumstances? If that is not the case, perhaps the Minister could explain in what other circumstances it might apply. Can he further tell us whether there is an expectation in the Bill that, where a service provider is developing a new service, it must ensure that it has the facility to access what the user would assume are encrypted data?
The answer to both questions is that it depends on what is reasonably practicable for the communications service provider. The power will apply usually to encryption that the provider has applied or has been applied on its behalf. If there are other circumstances where it would apply, I will take advice and write to the noble Lord, but we come back to what is reasonably practicable for the company. It is why the Government maintain a dialogue with communications service providers to ascertain what is practicable and what is not, and what would be cost effective and what would not be. However, broadly speaking, the noble Lord was right.
I am sorry to press the point, but I need to understand it. I understand the Minister’s answer in respect of the requirement applying where it is reasonably practicable because the encryption arrangement has been applied by the service provider, but is he saying that there is an expectation that in building new services a service provider should create something where it is technically possible for it to undermine that encryption? If so, that would raise a very different point which is important to clarify. Is the service provider required to make it technically practicable in future services as it develops them for this to be allowed?
It might be, but it might not be. Again, it depends on what is reasonably practicable in the particular circumstances. Those circumstances might vary from provider to provider and from situation to situation, so it is not possible for me to generalise about this, but I will take further advice and write to the noble Lord about it.
I was certainly not implying that the Government wished to ban end-to-end encryption; in fact, we do not seek to ban any kind of encryption. However, there will be circumstances where it is reasonably practicable for a company to build in a facility to de-encrypt the contents of communication. It is not possible to generalise in this situation. I am advised that the Apple case to which the noble Lord referred could not occur in this country in the same way.
Is the Minister therefore saying the Government’s expectation is that service providers will in future ensure that it is reasonably practicable for them to access those communications? If that is the case, I think that he is raising a whole new group of issues.
The Bill is clear that any attempt to obtain communications data must be necessary and proportionate, or it will not be permitted. It is crucial that the Bill provides a robust, legal framework which means that the law is consistently applied correctly. That is why we are introducing the double lock involving judges signing off warrants for the most intrusive powers, which means that the Secretary of State’s decisions, other than in the most urgent cases, will be independently scrutinised before warrants can be issued. I come back to the central point here, which relates to encryption: we do not think that companies should provide safe spaces to terrorists and other criminals in which to communicate. They should maintain the ability when presented with an authorisation under UK law to access those communications.