Read Bill Ministerial Extracts
Investigatory Powers Bill (Fifth sitting) Debate
Full Debate: Read Full DebateGavin Newlands
Main Page: Gavin Newlands (Scottish National Party - Paisley and Renfrewshire North)Department Debates - View all Gavin Newlands's debates with the Attorney General
(8 years, 7 months ago)
Public Bill CommitteesI am grateful to the hon. and learned Lady. I am not saying that another name cannot be added. With a wider original warrant that says “Persons A, B and others unknown”, of course an extra name can be added. If the warrant’s original terms of reference are narrow—if they just include A and B—adding person C requires applying for a new warrant. With the greatest respect, I cannot make it any plainer or clearer than that. An ordinary warrant cannot be turned into a targeted, thematic warrant; that is the point. If a new warrant is needed, it must be applied for, and then the double lock will work.
Will that not be an incentive to make all warrants wide? The Solicitor General is saying that, when the original warrant is narrow, additional warrants will be needed, but when it is wide, names can be added.
Investigatory Powers Bill (Eighth sitting) Debate
Full Debate: Read Full DebateGavin Newlands
Main Page: Gavin Newlands (Scottish National Party - Paisley and Renfrewshire North)Department Debates - View all Gavin Newlands's debates with the Home Office
(8 years, 7 months ago)
Public Bill CommitteesI cannot double check on my feet, but that sounds like the further evidence that was put before the Joint Committee when it was in the middle of its deliberations. In fairness, the Home Office did go beyond websites to include some, maybe all, of the matters to which the hon. and learned Lady just referred.
The way this will operate in practice is a cause of real concern. The Secretary of State, without the double check of a judicial commissioner, and operating against a low-level threshold—clause 53(7)—can issue a retention order that will permit the retention of a record of all the websites that somebody has visited. That record will then be kept for 12 months, albeit with a different test if it is to be accessed later.
The amendments—I think you have called them the first set of amendments, Ms Dorries—are intended to construct in the first instance a different framework around this power, because it is so extensive, and put it in the hands of a judicial commissioner rather than the Secretary of State. That would provide a greater safeguard in relation to clause 78, with independent oversight through the function of the judicial commissioner. Alternatively, amendments 152, 153 and 222 would give the Investigatory Powers Commissioner some oversight. In other words, the intention behind these amendments is to put some rigour and independence into the exercise of what is a very wide power that, in fact, is the starting point for the exercise of all the other powers under the parts of the Bill that we are now concerned with.
Anxiety has been expressed on a number of occasions about cost. Huge amounts of data could be required for retention under clause 78. The Government have estimated the cost at £170 million. That is considered to be a gross underestimate by those who will no doubt be called upon to actually retain the data. For those reasons, these amendments are intended to tighten up a clause that is very wide and very loose. It permits a huge amount of data to be retained, including websites visited by you, by me, or by our constituents.
It is a great pleasure to rise as part of this ongoing scrutiny, and to offer my hon. and learned Friend the Member for Edinburgh South West brief respite in this Committee. It is also a great pleasure to serve under your chairmanship, Ms Dorries. It is great to follow the hon. and learned Member for Holborn and St Pancras, who in his customary fastidious and engaging manner has covered in a short space of time all the aspects of many amendments. Some of that bears repeating, and I will speak to new clause 10, which is tabled in my name and that of my hon. and learned Friend the Member for Edinburgh South West.
My hon. and learned Friend spoke at length about the important role that the judiciary, in the form of judicial commissioners, should bring to this process. We do not think it is good enough that the Bill only proposes to use judicial commissioners to review the process used by the Secretary of State in making a decision. The Government may claim that it is important that the Home Secretary retains the power to issue retention notices to internet service providers, as it will ensure that democratic accountability is a salient feature of the process, but I do not accept that to be the case. In fact, I would argue that because of the political arena that any Home Secretary operates in, it is right that this power is handed to and delegated to an independent official such as a judicial commissioner.
It is also worth noting that we know very little of the various notices that the Home Secretary issues, and as such there is no possible opportunity to hold her to account for them. Building the role of judicial commissioners into this part of the process will help to ensure that we have appropriate checks and balances when it comes to the retention of communications data. This is vitally important, because it is the proper constitutional function of the independent judiciary to act as a check on the use of intrusive and coercive powers by state bodies, and to oversee the application of law to individuals and organisations. Liberty rightly points out that judges are professionally best equipped to apply the legal tests of necessity and proportionality to ensure that any surveillance is conducted lawfully.
I turn now to new clause 7. Schedule 4 provides a lengthy list of bodies that are able to access or retain data, including several Government Departments, such as the Department for Transport, and a range of regulatory bodies, such as the Food Standards Agency and the Gambling Commission. This suggests that access to communications data may be allowed for a range of purposes which may be disproportionate and inconsistent with the guidance offered by the European Court of Human Rights.
I draw the hon. Gentleman’s attention to clause 79, which we are not debating at the moment but which is directly relevant to the point he made about proportionality. Clause 79(1)(a) states:
“(1) Before giving a retention notice, the Secretary of State must, among other matters, take into account—
(a) the likely benefits of the notice”.
To me, that would be a pretty strong way of enforcing proportionality. Yet the hon. Gentleman is in his peroration claiming that that would not be taken into account, or not sufficiently so.
I am grateful for the Minister’s intervention. I appreciate that that is a safeguard, but we must ask whether those Departments should be getting access in the first place.
I do not want to be unnecessarily brutal with the hon. Gentleman, but either he is making an argument about proportionality or he is not. If he is saying that nothing is proportional, then it should not happen at all, that is hardly an argument about proportionality. Those of us who take a more measured view of these things are considering whether such collection and access to data are proportionate. Proportions by their nature require an assessment of balance, do they not? Yet the hon. Gentleman is suggesting that the scales are weighted all on one side.
The Minister did not actually address why these Departments need access to these data in the first place. I appreciate the point that he is making, but these Departments should not, in my view, require access to this information.
The Minister talked about the duty to take into account the likely benefits of the notice, but does my hon. Friend agree that something may be beneficial without being necessary?
I agree with my hon. and learned Friend. We are not opposed to every measure in the Bill. There are benefits, but unfortunately they are not covered by enough safeguards and are not drawn tightly enough. I would like to make progress but I will give way once more.
I apologise if I missed the hon. Gentleman outlining the Departments, but could he tell me which ones should be excluded and not have access to this?
That has been dealt with at length. I have already mentioned the Food Standards Agency as one of the regulatory bodies. Schedule 4 does currently provide a lengthy list of bodies that should be able to access the data. New clause 7 would ensure that only the police forces and security agencies may request a communications data warrant, except where the warrant is issued for the purpose of preventing death, in which circumstances emergency and rescue services also fall within the definition.
New clause 10 outlines the requirements that must be met by warrants.
As, for example, the Food Standards Agency cannot itself bring a prosecution, may I conjure in the hon. Gentleman’s mind a situation whereby a criminal gang, as part of its activities, seeks to bring into the United Kingdom for sale to the British public a contaminated food source? Is that not something to which the Food Standards Agency should have access to information in order to ensure that citizens and consumers are safe?
I understand the hon. Gentleman’s point, but surely the police would be interested in that scenario and would have access.
In the abstract—by golly, isn’t this debate being held in the abstract?—the hon. Gentleman is absolutely right, but we invest the powers with the agency. The police are not an infinite resource. If we have the many who are charged with multiple areas of our lives—
These powers are very large and we should limit who has access to them. The police can pass on the relevant information to the agencies that can deal with that particular incident, but in my view, only the police and security forces should have access. I want to finish my point on new clause 10 but I will allow one last intervention.
Order. May I just ask that interventions be kept short, please, or we will be here all night? Mr Newlands.
I appreciate what the hon. Lady says but, as I am not a lawyer, I am struggling to distinguish the difference between Scottish and English law. Perhaps my colleague could address that.
My hon. Friend will no doubt agree that, in Scotland at least, it is the police who investigate serious crime, under the direction of the Lord Advocate.
The point has been dealt with, and I think we need to move on. The effect of new clause 10 —[Interruption.] I will finish, amid the chuntering. These new clauses require data retention notices to be issued only for specific investigative or operational purposes, to obtain specified data where those data are believed to be of substantial value. We do not believe, however, that the role of communications data in the investigation of crime justifies the Secretary of State’s mandate for blanket retention of historical communications data for the entire population for 12 months.
Clause 78 is important for all the reasons that I have set out, but at this stage, I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
I beg to move amendment 303, in clause 78, page 61, line 12, leave out—
“of all data or any description of data”
and insert
“of specified relevant communications data”.
With this it will be convenient to discuss the following:
Amendment 304, in clause 78, page 61, line 14, leave out paragraph (2)(d).
Amendment 305, in clause 78, page 61, line 16, leave out paragraph (2)(e).
I will not detain the Committee for too long; these issues have already largely been addressed. Amendments 304 and 305 seek to remove paragraphs (d) and (e) from clause 78(2). In a Bill replete with vagueness, those two subsections stand out as being particularly vague. The new clause that I will come to in a moment would require a data retention notice—or warrant, as we would wish—to be issued only for a specific investigative or operational purpose. The SNP has tabled amendments that will bring greater clarity to when and why a warrant would be issued.
As we know, communications data are defined as data that would be used to identify, or assist in identifying, the who, where and how. However, instead of allowing a blanket surveillance approach that treats everyone as a suspect, the amendments would allow the police to apply to a judicial commissioner for targeted retention warrants, in which data are required for the purposes of a specific investigation into serious crime, or for the purpose of preventing death or injury. I trust that these amendments are acceptable to the Government.
I rise to address the concerns of the hon. Gentleman. It is good to hear from him; I should have said that during the last group. He has made the point about his concerns of vagueness. However, I would argue that it is very important that a notice can have a degree of flexibility within it, because a single telecommunications operator may provide a number of different communications services, such as mobile telephony and internet access. However, there may be different complexities and sensitivities about the different types of communications data that are generated by those services. Considerable preliminary work is carried out between the Government and telecoms operators in advance of the service of a retention notice. That covers a number of issues, including the type of data that will be retained, the complexities of the operator’s systems, and the relevant security requirements. Flexibility is needed to ensure that the notice can appropriately reflect those issues, and that it imposes the minimum requirements necessary to meet the operational requirements.
What we are counter-intuitively getting at is to make sure that there is necessary give and take within the system to prevent what the hon. Gentleman and I would regard as an overweening approach from the Secretary of State, which would impede the ability of communications service providers to carry out their operations. For that reason, I respectfully urge him to withdraw the amendment.
I hear what the Solicitor General has said, but I do not wholly agree with him. I reserve the right to bring this back at a later stage. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
I beg to move amendment 306, in clause 78, page 61, line 18, at end insert—
‘(2A) A retention notice may not require a telecommunications operator to retain any data belonging to a third party data, unless that third party data is retained by the telecommunications operator for their own business purposes.”
I beg to move amendment 317, in clause 78, page 61, line 34, leave out “(or description of operators)” and insert “or operators”.
With this it will be convenient to discuss the following:
Amendment 315, in clause 78, page 61, line 37, leave out “(or description of operators)” and insert “or operators”.
Amendment 319, in clause 78, page 61, line 42, leave out “(or description of operators)” and insert “or operators”.
Amendment 328, in clause 79, page 62, line 33, leave out “(or description of operators)” and insert “or operators”.
Amendment 338, in clause 80, page 62, line 42, leave out subsection (3).
Amendment 361, in clause 83, page 64, line 16, leave out “(or description of operators)” and insert “or operators”.
Amendment 374, in clause 83, page 65, line 1, leave out “(or description of operators)” and insert “or operators”.
Amendment 375, in clause 83, page 65, line 8, leave out “(or description of operators)” and insert “or operators”.
The SNP has tabled the amendments to provide for clear, appropriate and limited grounds on which data retention warrants may be issued. The amendments require that the data to be retained are specified and that organisations served with warrants to retain communications data should be identified rather than merely described.
Amendments 315 and 317 affirm that organisations that have been served a notice or warrant to retain the communications of their customers are properly and explicitly identified. The term “description of operators” is far too vague and we urge that it is changed to “or operators”. Amendment 328 ensures that those organisations are defined and named before a retention notice can be issued. Amendment 338 removes the possibility of the Home Secretary being able merely to describe the telecommunications operators that she wants to target. Amendments 361, 374 and 375 provide the basis for a concrete description to be included when there is any variation of a notice.
The amendments attempt to bring to the Bill some clarity, which is sadly lacking. It is not good enough that the Home Secretary can sign a notice that merely describes who is impinged on or directly affected by these intrusive powers, because that approach opens up the space for the powers to be abused. We need to act to ensure that, as much as possible, we operate a targeted approach.
I understand the purpose behind the amendment in that, in the opinion of the hon. Member for Paisley and Renfrewshire North, it would ensure greater specificity in the giving of notices. However, I shall give a brief example of what a “description of operators” might be. With this provision we would have been able to give the same retention notice to all wi-fi providers supplying wi-fi to the Olympic park in London during the 2012 Olympics. In these circumstances the operators are providing precisely the same kind of communications service and the data required to be retained are the same. Whether a notice relates to a description of operators or to a single operator, it can only contain what the Bill’s provisions allow and the Secretary of State must consult with the operators to which it relates. Operators also have the opportunity to refer the notice back to him or her in relation to any aspect of it. Therefore, on that basis, I invite the hon. Gentleman to withdraw his amendment.
I am content to withdraw the amendments at this stage. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
I rise to speak to amendment 152, in clause 78, page 61, line 36, at end insert “, and
(c) only when approved by the Investigatory Powers Commissioner.
(5A) In deciding whether to approve a notice, the Investigatory Powers Commissioner must determine whether a notice is—
(a) that the conduct required by the notice is necessary for one or more of the purposes in section 53(7); and
(b) that the conduct required by the notice is proportionate to what is sought to be achieved by that conduct.”
I beg to move amendment 320, in clause 78, page 62, line 13, leave out subsection (9) and insert—
“(9) In this Part ‘relevant communications data’ means—
(a) communications data of the kind mentioned in the Schedule to the Data Retention (EC Directive) Regulations 2009 (SI 2009/859), or
(b) relevant internet data not falling within paragraph (a).
(9A) In this part ‘relevant internet data’ means communications data which may be used to identify, or assist in identifying, the sender or recipient of a communication (whether or not a person).”
Thus far while debating the clause we have covered providing for the judiciary, in the shape of judicial commissioners, to issue data retention warrants rather than notices, and removing the Secretary of State from the role, making it clear on the face of the Bill who is eligible to apply for a warrant; limiting the grounds for the issuing of warrants; ensuring that all targets are identified and not described; and that the data to be retained should be specified. The fact that we in opposition have had to table so many amendments highlights the main problem in the drafting of the Bill: vagueness. The Bill is wholly lacking in specificity and clarity and nothing highlights that more than the issue of internet connection records.
As trailed by my hon. and learned Friend the Member for Edinburgh South West during the debate on clause 54, the SNP has significant reservations about the provisions on internet connection records as drafted in the Bill. Not only are the definition and legality of the provisions unclear, but the Government's case for ICRs has simply not been made. Amendment 320, which stands in my name and that of my hon. and learned Friend, would effectively remove ICRs from the Bill and replicate the Data Retention and Investigatory Powers Act 2014 in its original form, to ensure that the definition of “relevant communications data” is consistent with current legislation. That will help provide the legal certainty and clarity that the industry needs to understand its legal obligations appropriately. At the moment the industry is having difficulty in understanding what exactly the Government want and require it to do. Although the industry is willing to work with the Government to try to implement their vision for ICRs, it does not know what ICRs are, and it looks as though the Government do not altogether know either.
Despite the significance of ICRs, very little detail about them has been provided, with the Government consistently saying that the detail can be worked out later. That lack of clarity is simply not good enough when the Government are asking us to sign off on legislation that will have a significant impact on the industry and impinge significantly on the right to basic privacy that our constituents, quite rightly, expect. Indeed, the Internet Service Providers Association says:
“The Investigatory Powers Bill deals with highly complex technical matters, however, our members do not believe that complexity should lead to a Bill lacking in clarity.”
I could not agree more. As has been mentioned already, the clearest definition of an ICR is not in the Bill itself but in the document “Operational Case for the Retention of Internet Connection Records” from the Home Office. That describes ICRs as
“a record of the internet services that a specific device connects to – such as a website or instant messaging application – generated and processed by the company providing access to the internet.”
A concrete definition of what specific data form an ICR, exactly who has access, precisely what for and exactly who must retain the data must be on the face of the Bill.
The Home Office may want to have a “flexible” definition, as typified in clause 54(6), but given that we are dealing with a Bill that may have the biggest impact on civil liberties than any other Bill for generations, that simply will not cut the mustard. The Intelligence and Security Committee helpfully referred to ICRs as providing information on the “who, when and where” of someone’s internet use. The Government claim that they have no plans to acquire the content of the said communications, but DRIPA and RIPA suggest that that does not matter, given that acquiring the sort of information that is going to be held under an ICR can provide important details on the date, time, location and type of communication used. Liberty suggests that ICRs will provide a detailed and revealing picture of somebody’s life in the digital age. That point was highlighted by the Information Commissioner when he said that ICRs can reveal a great deal about the behaviours and activities of an individual. In fact, Stewart Baker, former senior counsel to the United States National Security Agency, stated that it
“absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.”
Based on those statements alone, it is important to assess the proportionality and necessity of ICRs, but also question whether they are in accordance with the law. We live in a digital world and, quite rightly, our constituents place a lot of importance on their right to privacy as they use the internet. We accept that the security authorities need adequate powers to keep us safe and it is only proper that the Government consider what new powers they need for the digital age. However, like most people, I am deeply concerned about the complete lack of specifics about ICRs. In publishing such widely drafted legislation and telling the sector that the detail will come shortly, the Government are asking us all to trust them. They are asking us, as Members of this House, to pass and approve legislation without knowing what its full impact, costs or consequences—unintended or otherwise—will be. In effect, they are asking us to sign a blank cheque on much of the communications data powers. Is that really a proper and effective way to devise and develop legislation that has such civil liberty repercussions?
The SNP is not opposed to certain authorities having the power to obtain communications data or internet connection information critical to their investigations. We fully accept that some power is not only necessary, but crucial, for law enforcement in the 21st century. However, rather than a blanket collection of the websites that everyone in the UK has visited in the last 12 months, we prefer a specific, targeted solution. We agree that intercepting someone’s communication data can be an important part of any criminal investigation and it is important that we do that for those suspected of being engaged in criminal activity. There is an obvious difference, though, in intercepting the communications of those suspected of criminal activity and those of the vast majority of our constituents, who are, by and large, law-abiding citizens.
The Government are asking companies to hold and retain information on all the internet sites that an individual visits. It is unclear how much information the Government want those companies to hold, but it is clear that it is going to be a huge amount of data and we still do not know about the feasibility or costs involved. The sort of information that the Government want companies to retain could be sites that the person has mistakenly accessed; it could be a website that the person has spent only a few seconds on; it could also be an internet site that a person has accessed for deeply personal reasons, such as receiving advice on domestic violence or on health matters. Putting the sensitivity and privacy argument to one side, we need to consider whether the Government are going to have too much information at their disposal and thus, inadvertently, make it harder for our security services to complete their investigations.
During the evidence session I made a point about mobile devices always being connected to the internet via various apps, following a similar point made by the hon. and learned Member for Holborn and St Pancras. Those applications are constantly creating ICRs and that will increase as phones become even more advanced and able to process more information more quickly, with bigger memories.
It is unclear how many automatic ICRs are being created by my phone alone, but the Government are demanding that the various communications companies retain these ICRs for a period of 12 months. Conversations with people in the industry have shown that companies have yet to figure out how they will separate the automatic data that are generated through a third-party app from the data that are generated manually by a user. According to the definitions in the Bill, both will generate the same data, showing that the user has accessed an app and recording the date, location, time and so on of that use.
Another industry expert told me that a single app could generate up to 100 ICRs per minute—that is just one single app. I am unsure of the figures for over here, but in America there is an average of 27 apps on every smartphone. If it is the same in the UK, and taking into account the average number of apps and possible connections, this could lead to 2,700 ICRs per phone per minute, or 100,000 ICRs per phone per day. Well over 3 million ICRs could be generated just by the phones in this room. The third party app issue has been raised by the industry time and time again, but it has not been properly addressed by the Government. In evidence given to this Committee, the CEO of BT security, which has been working with the Government, said in response to the third party app issue:
“We are considering whether to propose an amendment to the Home Office on the third party data question, which is the case in point here, and how that should be approached. We think that the principle is that other providers who have that data are the ones who should be subject to it, and that it should be explicit in the Bill”.
I then pressed him on whether at the moment the Bill was not clear enough on that aspect. He replied:
“It could be clearer, and we are thinking about proposing an amendment specifically to over-the-top providers, making it clear that they are responsible for that”.––[Official Report, Investigatory Powers Public Bill Committee, 24 March 2016; c. 49, Q137-138.]
I have to say, if BT are unsure who is involved, how are the rest of the industry supposed to know? We have to ask whether or not it is necessary or proportionate for the Government to have information and data on the apps that I or anyone else has on their phone. Given these points, among others, I can understand why so many people are calling ICRs a Home Office solution to a police problem, instead of being a police solution to a police problem. This point was articulated during the evidence session by Sara Ogilvie of Liberty, who said:
“It seems clear that, given the bulk nature of these powers, they will not deliver that kind of information in a helpful manner. If anything, it seems more likely to drive criminals to use bits of the internet that will not be captured by the service”.––[Official Report, Investigatory Powers Public Bill Committee, 24 March 2016; c. 15, Q31.]
We also need to be mindful of the amount of information that we want to expose and the potential for this to be targeted by criminal hackers. When a similar plan to collect web logs was proposed in 2012, the Joint Committee on the draft Communications Data Bill concluded that it would create a
“honeypot for casual hackers, blackmailers, criminals large and small from around the world, and foreign states”.
This wealth of data in the wrong hands could be used for identity theft, scamming, fraud, blackmail and even burglaries, as connection records can show when internet access occurs in or out of the house, representing a daily routine. This is an unacceptable level of risk to inflict on innocent internet users. The Chair of the Science and Technology Committee said:
“There remain questions about the feasibility of collecting and storing Internet Connection Records (ICRs), including concerns about ensuring security for the records from hackers. The Bill was intended to provide clarity to the industry, but the current draft contains very broad and ambiguous definitions of ICRs, which are confusing communications providers. This must be put right for the Bill to achieve its stated security goals”.
Furthermore, not to be outdone, the Joint Committee tasked with scrutinising the draft Communications Data Bill said in its final report that,
“storing web log data, however securely, carries the possible risk that it may be hacked into or may fall accidentally into the wrong hands, and that, if this were to happen, potentially damaging inferences about people’s interests or activities could be drawn”.
Surely with these warnings, which were issued by such influential and important Committees, the Government should have listened and addressed some of their concerns, but it would seem not. With regard to some of the case studies laid out in “Operational Case for the Retention of Internet Connection Records”, the likelihood of ICRs proving vital in identifying criminals has been questioned by ISPs and technologists. The justification for ICRs being helpful relies on the assumption that online criminals offend using a regular browser or public file sharing service on their own device, using personal internet connections, without employing the most basic of the widely available anonymity tools to avoid detection. The use of VPNs or Tor helps anonymise users of the internet. As such, ICRs will be unusable and, in fact, misleading where such privacy tools have been used. It is obvious for all to see that the more information that is retained, the greater the costs entailed to either the industry or the taxpayer.
When I spoke to people at TechUK last week, they explained that the introduction of ICRs will be a significant change to the industry and that all organisations will have to re-adapt to meet the new expectations and responsibilities that are being put on them. In addition, they are concerned about the new types of technology that they will need to install to allow them to cope with the new demands from Government. For example, they are concerned that many in the industry will have to install new filtering systems to help companies deal with the vast amount of data they now have to retain. It is difficult even to question the feasibility of such demands due to the limited information and detail provided by the Home Office.
This is the first speech I have made in this place that has required an intermission. It has been suggested that I start from the beginning as I cannot remember where I had got to. I am nothing but a crowd pleaser, Ms Dorries, but I have found the place where I left off, so I shall continue.
I was saying that the question whether the Bill is in accordance with the law is up for debate. If this part is left unchanged, Liberty and others suggest that it will be in conflict with human rights law, including breaching the EU charter of fundamental rights and freedoms. In July 2015, the High Court upheld its challenge and struck down sections 1 and 2 of the Data Retention and Investigatory Powers Act 2014, finding them incompatible with the British public’s right to respect for private life and communications, and protection of personal data under articles 7 and 8 of the EU charter of fundamental rights.
In addition, we should be mindful that the challenge against DRIPA is ongoing and that the outcome will have an impact on whether this part of the Bill is lawful, although I suspect not. On that basis, I question whether ICRs will do the job the Government intend them to do. The Home Office has become entrenched with regard to ICRs and its fixation with them is clouding its ability not only to look at alternatives, but to assess whether ICRs are proportionate, necessary or in accordance with the law. The SNP believes that ICRs fail those three basic assessments.
I want to quote an unlikely ally, who, in 2009, said in Committee:
“Our consideration of the regulations comes against the backdrop of an increasingly interventionist approach by the Government into all of our lives, seemingly taking the maxim ‘need to know’ to mean that they need to know everything. Certainly, we need to know what the Government’s intentions are in relation to the creation of a new central database, which would create a central store of our electronic communications.”—[Official Report, Fourth Delegated Legislation Committee, 16 March 2009; c. 6.]
That ally was none other than the right hon. Member for Old Bexley and Sidcup (James Brokenshire), now Minister for Immigration at the Home Office, speaking in a Delegated Legislation Committee on an EC directive with very similar provisions to parts of this Bill. That statutory instrument was passed by the House, but notable opponents included Members who are now Scottish Secretary, Home Secretary and Minister for Security—the Minister in charge of this Bill.
We in the SNP are mindful of the evidence that has been presented and submitted to the Committee, but it is our opinion, backed up by case law, that the power to retain ICRs is incompatible with the right to privacy and the protection of personal data, and I urge hon. Members to amend the Bill and ask the Government to think again.
I am grateful to hon. Members for this important debate, which, although it relates to an amendment, inevitably strayed into what is, in effect, the stand part debate on communications data.
The hon. Member for Paisley and Renfrewshire North set out his case comprehensively, but his arguments relate to measures and proposals that are not before the Committee. We have moved a long way from 2009, and certainly from 2012, when the original draft Bill was considered by a predecessor Joint Committee. We are not in the situation where the Government will hold a centralised database. That sort of measure was rightly opposed by my right hon. Friend the Minister for Immigration and other of my hon. Friends at that time, because we are naturally suspicious of an organ of Government directly blanket-holding such data.
That is why this provision is not remotely like that. It does not contain anything like the provisions that the hon. Gentleman rightly cautions against, most importantly because the retention of that data is not in the hands of Government. That arm’s length approach is a key difference, which I am afraid undermines all the seeming quality of his argument.
Will the series of private databases under the Bill be any safer from hacking than a central Government database?
The hon. Gentleman makes a proper point about security. This, in respect of the code of practice and in collaboration with the industry, will be at the forefront of everybody’s mind. What is important is that the Government do not have a pick-and-mix or help yourself avenue within which they can mine data for their own capricious purposes.
The framework of the Bill quite properly severely circumscribes the circumstances within which the Government can seek access to that material. Most importantly, when it comes to content, the warrantry system—the world-leading double lock system we are proposing—will apply. An internet connection record is not content; it is a record of an event that will be held by that telecommunications operator. It relates to the fact of whether or not a customer has connected to the internet in a particular way. If it goes further into content, the warrantry provisions will apply. It is important to remember that framework when determining, and describing and putting into context, what we are talking about. The Committee deserves better than indiscriminate shroud-waving about prospects and concerns that simply do not arise from the measures in the Bill.
The hon. Gentleman quite properly raised the Danish experience. The Danish Government and authorities are in regular conversation with the United Kingdom Government. That dialogue goes on because they are naturally very interested to see how our model develops, although there are important differences that should be set out briefly. The Danish legislation was not technology neutral, unlike these proposals, because it specified two options that proved unworkable. We work with operators case by case so that the best option for their network at the appropriate time will be determined. The Bill builds on existing data retention requirements, such as the retention of data necessary to resolve IP addresses, which regime already exists under the Counter-Terrorism and Security Act 2015. The full cost recovery underpinning by the Government means that there is no incentive for communications service providers to cut corners, as I am afraid happened in Denmark. There are important differences between the two.
The hon. Gentleman rightly talks about IPV6. Although it is a great aim and something that all of us who have an interest in this area will have considered carefully, it still is, with the best will in the world, a way away, I am afraid. It will take a long time for all service providers to implement in full, and until then, there will be both types of system. Even with IPV6, CSPs may choose to implement address sharing or network address translation, meaning that it is not the guaranteed solution that perhaps has been suggested. Servers who host illegal material are much less likely to move to that system, meaning that, in practice, IPV4 may well remain with us. We therefore have to act in the interim, because, as has been said, the drift away from what I have called conventional telecommunications to the internet carries on whether we like it or not. We have to face up to the world as it is, rather than the world as we would love it to be, and therefore take into account the fact that we are in danger of being unable to detect criminality and terrorism.
I hear what the Minister has to say but I am not assuaged by his comments, so this shroud-waver would like to press the amendment to a vote.
Question put, That the amendment be made.
Investigatory Powers Bill (Tenth sitting) Debate
Full Debate: Read Full DebateGavin Newlands
Main Page: Gavin Newlands (Scottish National Party - Paisley and Renfrewshire North)Department Debates - View all Gavin Newlands's debates with the Home Office
(8 years, 7 months ago)
Public Bill CommitteesOn a point of order, Mr Owen. May I add my remarks to yours? We wish my hon. Friend well and hope that he has a swift recovery from his operation.
Clause 109
Implementation of warrants
I beg to move amendment 293, in clause 109, page 87, line 39, leave out subsection (3).
This amendment would remove the provision which allows a targeted equipment interference warrant to be served on a person outside the UK for the purpose of requiring that person to take action outside the UK.
With this it will be convenient to discuss the following:
Amendment 645, in clause 109, page 87, line 41, at end insert—
“(3A) Subsection (3) shall not be applicable where the person outside the United Kingdom has its principal office where it is established for the provision of services in a country or territory with which the United Kingdom has entered in to an international mutual assistance agreement or is subject to an EU mutual assistance instrument.”
This excludes the extraterritorial provision in cases where any mutual assistance arrangement exists between the UK and the provider’s jurisdiction while enabling the government to seek voluntary assistance from CSPs in non-MLA countries.
Amendment 679, in clause 110, page 88, line 9, at end insert—
“(1A) Where such a warrant is to be served upon a person outside the United Kingdom the warrant shall be served at that person’s principal office outside the United Kingdom, where it is established, for the provision of services.”
Amendment 694, in clause 110, page 88, line 10, at beginning insert—
“Where service of a warrant in the manner envisaged in subsection (1A) is considered unfeasible or inappropriate in the circumstances,”
Amendment 647, in clause 110, page 88, line 10, after “Kingdom”, insert—
“the warrant shall be served at that person’s principal office outside the United Kingdom where it is established, for the provision of services. Where it is considered unfeasible or inappropriate in the circumstances,”
The Home Secretary confirmed at second reading that a UK agency would only serve a notice on an overseas entity that is capable of providing assistance under the warrant. UK agencies today routinely use secure means of communication to transmit notices directly to the main office of overseas CSPs. This would make government’s commitment clear on the face of the Bill (as it is in the relevant code of practice) and address contradictory provisions that remain in the Bill.
Amendment 648, in clause 111, page 89, line 19, after “take”, insert—
“which for a relevant operator outside the United Kingdom shall include—
(a) any steps which would cause the operator to act contrary to any laws or restrictions under the law of the country or territory where it is established, for the provision of services, or
(b) where a warrant could be served pursuant to an international mutual assistance agreement or subject to an EU mutual assistance instrument.”
This amendment clarifies the reasonableness test for overseas CSPs.
It is a pleasure to serve under your chairmanship, Mr Owen. May I add to your comments that I will miss the exchanges with the hon. Member for North Dorset? I wish his replacement well.
Clauses 109 and 110 deal with issues about compelling a third party to provide assistance in the execution of a warrant and extraterritoriality, which is the subject of amendment 293. In speaking to the amendment, and to the clause more generally, I will unavoidably stray into matters relating to clause 110, as the two are inextricably linked.
Clause 109 provides the UK Government with the power to issue warrants that in turn force third-party organisations or individuals outside the UK to assist in acquiring information for the means of equipment interference. The clause states that
“any person whom the implementing authority considers may be able to provide such assistance”
can be served with a warrant to assist in carrying out a targeted hacking warrant. Under clause 110(2), this warrant may be served at a person’s principal office or specified address in the UK, or by making it available for inspection in the UK after appropriate steps have been taken to bring the contents of the warrant, and its very existence, to the attention of the person.
First, the problem here is the lack of judicial authorisation in this part of the process. Privacy International rightly points out that this compelled assistance will not be subject to judicial authorisation. Although law enforcement and security and intelligence agencies will have to seek a warrant to gain access to people’s devices and computers, it is correct that those authorities are not required to seek judicial approval to compel technology companies to assist in their investigations.
Secondly, we should be mindful of the difficulty that this places on any individuals or organisations who are forced to comply with the Government’s demands. These issues were heard by the Science and Technology Committee, where serious concerns were raised about the security implications of forcing companies to, for example, upload and install malware, as well as the fear that equipment interference could jeopardise their business model. The Science and Technology Committee took note of these issues and concluded that
“the industry case regarding public fear about ‘equipment interference’ is well founded.”
Amnesty International UK is deeply concerned about the dangerous precedent that this broad, aggressive power will set in forcing third-party companies to engage in hacking without any independent provision or scrutiny, and to do so in secret.
Thirdly, the extraterritorial measures in clauses 109 and 110 may cause more problems than they solve. That is why amendment 293, which stands in my name and that of my hon. and learned Friend the Member for Edinburgh South West, seeks to delete subsection (3) entirely, thereby removing the extraterritorial aspect. If we serve hacking warrants on those outside the UK, what sort of message does that send to other countries? We need to be mindful that introducing this type of clause could open the floodgates for other countries to follow suit, which will ultimately have an impact on companies based in the UK. That point was articulated by Yahoo!, which said:
“Extraterritoriality encroaches on the sovereign rights of other governments and risks retaliatory action, including against UK CSPs operating overseas.”
On that point, the Government’s independent reviewer’s report suggests that, when countries seek to extend their legislation extraterritorially, those powers may come into conflict with legal requirements in the country in which companies being asked to comply with a legal request are based. Companies explained to the reviewer that they did not consider it was their role to arbitrate between conflicting legal systems. The protection of vital human rights should not be left to the goodwill and judgment of a company. The concerns of the industry were articulated in this perfect quote. The industry
“expressed concerns that unqualified cooperation with the British government would lead to expectations of similar cooperation with authoritarian governments, which would not be in their customers’, their own corporate or democratic governments’ interests.”
I shall finish with this comment from Yahoo! It states:
“The current legal framework comprises the law in the requesting country, law in the receiving country and the international agreements that connect the two.”
It is additionally possible that the requesting and receiving countries’ laws may be in conflict. For example, the receiving country’s law may outlaw the provision of content data outside their own legal process. It continues:
“Taken as a whole, this framework is fragmented, with gaps and conflicts which have gone unaddressed for many years. In this more global communications environment, this fragmentation has become more and more obvious and creates a patchwork of overlapping and conflicting laws which overseas and domestic UK CSPs must navigate in order to discharge their legal obligations to safeguard users’ privacy and to respond appropriately to valid requests for access to data… It also creates a complex environment for users to navigate and establish their privacy rights.”
This issue is global, and national laws cannot resolve global issues.
I will be brief. Members will have observed that the amendments in my name are in keeping with my previous amendments about implementation, service and extraterritoriality in relation to other warrants. I will not repeat the points I made then. The only one that is different is amendment 646, a simple proposed change to clause 109 that would add the provision:
“A warrant may be implemented only to the extent required for the purpose for which the warrant was issued.”
I think that may be implicit. If the Minister could indicate that that is his understanding, that might allay concerns and the amendment would not need to be pressed.
As the hon. and learned Gentleman says, we have been down this road before. I well recall discussing similar amendments to the targeted interception provisions in part 2. The Bill maintains the existing position in relation to extraterritorial jurisdiction and those obligations that apply to overseas companies. I am unhesitating in my view that overseas companies, because of their important role in communications, must do their bit to do the right thing, as I said previously and memorably. As a result, I will not tire the Committee by going into that argument in great detail.
Amendment 293 to clause 109 seeks to remove the ability to serve a warrant on an overseas provider and amendment 645 seeks to remove the ability to serve a warrant on an overseas provider when a mutual legal assistance agreement is in place. I draw the Committee’s attention once again to David Anderson’s comments in his report, in paragraph 11.26:
“There is little dispute that the MLAT route is currently ineffective.”
I will not quote it at length but he goes on to say that it is because it is too slow and so on. I do not think that those amendments are in line with either his view or mine.
The effect of accepting the first amendment is evident. It would mean we could serve an equipment interference warrant only on a provider based in the UK. The second amendment seeks to assert mutual legal assistance arrangements as the only route. For the reasons I have already given, that is not appropriate.
The hon. and learned Gentleman asked, in the context of his amendment, whether that matter was implicit. Yes, it is implicit and I can confirm what he thought might be the case.
The arguments have already been made and, on careful reconsideration, the hon. Member for Paisley and Renfrewshire North will realise that his amendment and argument are pseudodox and will withdraw on that basis.
I thank the Minister for that response and I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
I can deal with this in fairly short order. The Scottish National party tabled an amendment to leave out the clause, which places a duty on telecoms operators to assist with the implementation of equipment interference warrants. We agree with those in the industry who are rightly concerned about being forced by the state to engage in the legal hacking of customers and other individuals and groups.
The Bill defines a telecoms operator as
“a person who…offers or provides a telecommunications service to persons in the United Kingdom, or…controls or provides a telecommunication system which is (wholly or partly)…in the United Kingdom, or…controlled from the United Kingdom.”
That flexible and all-encompassing definition means that not only online companies such as Google, Facebook, Twitter, Dropbox and Yahoo!, but private offices, businesses, law firms, the networks of Departments such as the NHS and institutional networks such as those of universities would be forced to comply with the Government’s instructions to interfere with or hack the communications of an individual or group. That was confirmed by the Home Secretary in her evidence to the Joint Committee that scrutinised the draft Bill. That power will place those companies, whose services most, if not all, of our constituents use, in a deeply unsettling and invidious position.
I am not convinced that any of our constituents would be pleased to hear that we were passing legislation that would allow their email accounts or Facebook pages to engage in illegal hacking on behalf of the state. The extraordinarily expansive power that the clause gives the Government will force companies to engage in highly controversial work on their behalf, which will no doubt be in conflict with the interests of cybersecurity and product security that the companies work hard to innovate in, protect and extend. Forcing these companies to engage in legal hacking could seriously harm their business and operations. It will also lead to some of their customers and users losing trust in their businesses. I am not surprised that companies have long expressed deep concern about the powers laid out in the clause, as it is in direct conflict with their business interests. For those reasons, the SNP would like to see the clause deleted from the Bill.
I shall do my best impression of her, Mr Owen, but I fear it will be inadequate.
I beg to move amendment 296, in clause 113, page 91, line 22, at end insert—
“(A1) Material obtained via a warrant under this Part may only be shared with overseas authorities in accordance with the terms of an international information sharing treaty.”
This amendment would require that information obtained via an equipment interference warrant is only shared with overseas authorities where a mutual legal assistance treaty has been put in place for the purpose of doing so.
Clause 113 deals in part with the overriding issue of information obtained through equipment interference being shared with overseas authorities. We should take note of the oral and written evidence submitted by Amnesty International on this point about the lack of any proper controls over intelligence sharing with foreign authorities. The human rights implications may be very serious indeed. For example, there is nothing in the Bill to prevent data being shared with an overseas authority when that might lead to the abuse, or possibly torture, of an individual or group. Surely we should set an example by ensuring that data gathering does not lead to torture; that should be the minimum standard expected of a civilised country such as ours.
However, if the SNP and Amnesty International are a little left-wing for hon. Members’ tastes, I give them the Intelligence and Security Committee, which also criticised the lack of clarity on this point when it noted that the Bill
“does not…meet the recommendations made in the Committee’s Privacy and Security Report that future legislation must set out these arrangements more explicitly, defining the powers and constraints governing such exchanges.”
The written evidence submitted by Yahoo! and others expressed concern that the Government’s apparently unilateral assertions of extraterritorial jurisdiction
“will create conflicting legal obligations for overseas providers who are subject to legal obligations elsewhere.”
David Anderson has also noted the lack of detail in this section of the Bill. He called for information sharing with foreign countries to be subject to strict, clearly defined and published safeguards. His report states:
“The new law should make it clear that neither receipt nor transfer as referred to in Recommendations 76-77…should ever be permitted or practised for the purpose of circumventing safeguards on the use of such material in the UK.”
However, such safeguards and guarantees are notably absent from the Bill. Furthermore, the independent reviewer’s report described the international trade in intelligence between the “Five Eyes” partners—the UK, the USA, Canada, Australia and New Zealand. In so far as material gathered by the British services is shared with other countries, the report explained that the security services take the view that, under their founding statutes, information should be shared only if it
“is necessary for the purpose of the proper discharge of the security and intelligence agencies’ functions.”
When it is considered that the test is met, certain safeguards apply under the Regulation of Investigatory Powers Act 2000. However, the report concluded that
“in practical terms, the safeguards applying to the use of such data are entirely subject to the discretion of the Secretary of State.”
The 2000 Act and the codes of practice are silent on British services receiving or accessing information from foreign services, with security services limited only by the general constraints placed on their actions by various statutes. It was only during Liberty’s legal action against the security services in the Investigatory Powers Tribunal that limited information was revealed about the way in which the security services approach such situations. In its first finding against the agencies, the IPT held that, prior to these disclosures, the framework for information sharing was not sufficiently foreseeable and was not therefore in accordance with law. The tribunal held that, because the litigation had resulted in disclosures of information, the security services were no longer acting unlawfully when accessing information from the US. Based on the concerns that Amnesty International, Liberty and others have raised, the SNP has tabled amendment 296, which would insert a new subsection into clause 113. The language of the amendment is plain.
I have listened carefully to the hon. Gentleman’s comments. On the sharing of information with authorities that may engage in torture or other serious ill-treatment, can the Minister confirm the long-standing practice that our security and intelligence services do not share information where there is a risk of torture, because of their obligations under other international treaties, and that this provision sits within that framework of assurances?
I can confirm that, and I can say a little more. My residual generosity is such that I take the view that these amendments are well intentioned, but they are unnecessary. Let me say why.
Clause 113 already provides that the Secretary of State must ensure that satisfactory and equivalent handling arrangements are in place before sharing UK equipment interference material with an overseas authority. The Secretary of State must determine that they provide corresponding satisfactory protections. Furthermore, those obligations sit alongside those in, for example, the consolidated guidance to intelligence officers and service personnel on the detention and interviewing of detainees overseas, and on the passing and receipt of intelligence relating to detainees, as well as the gateway provisions that allow for intelligence sharing in the Intelligence Services Act 1994 and the Security Service Act 1989.
In addition, the overseas security and justice assistance guidance provides an overarching mechanism that sets out which human rights and international humanitarian law risks should be considered prior to providing justice or security sector assistance. This is supplemented by the draft code of practice on equipment interference, which is clear about the safeguards on the handling of information. It seems to me that the protections, absolutely necessary though they are, are comprehensively dealt with by that variety of means, rendering the amendment unnecessary. I invite the hon. Gentleman to withdraw it.
I thank the Minister for his comments, and I am somewhat reassured, but I still do not understand the Government’s reticence about putting this in the Bill; it is only a sentence that is required. Nevertheless, we are minded to withdraw the amendment at this time. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 113 ordered to stand part of the Bill.
Clause 114
Duty not to make unauthorised disclosures
I beg to move amendment 649, in clause 114, page 91, line 42, after “not”, insert “without reasonable excuse”.
I have said all that I need to say on the amendment. Members of the Committee will appreciate that the amendment has been tabled for each of the offence provisions for the reasons I set out the first time we encountered it. That was dealt with by the Solicitor General, so I shall say no more about it at this stage.
I will not detain the Committee long. I hear what the hon. and learned Gentleman says and broadly agree with it. I rise merely to point out the differences between the two amendments before us. The SNP’s amendment would insert an additional subsection that adds the additional defence and leaves subsection (3) in, whereas the Labour amendment removes that.
I am grateful to the hon. and learned Member for Holborn and St Pancras. We are familiar with the arguments and our response is that the information gateway, which allows people to take concerns directly to the Investigatory Powers Commissioner, caters for the public interest. For that reason I urge him to withdraw the amendment.
Gavin Newlands
Main Page: Gavin Newlands (Scottish National Party - Paisley and Renfrewshire North)Department Debates - View all Gavin Newlands's debates with the Home Office
(8 years, 5 months ago)
Commons ChamberThe hon. and learned Lady is, I am afraid, picking on a hole in the Bill that is simply not there. [Interruption.] It is not there because the collection of bulk data is entirely categorised by the Bill. The Bill supervises entirely the ability to collect bulk data. The analysis is then done by trusted officers of the state. To accuse them of anything other than the highest forms of integrity would be an extraordinary statement to make in the House.
Will the hon. Gentleman give way?
No, I am afraid I will not. I have given way enough.
It would be baffling to look at that list and accuse people of such integrity of having anything other than the best intentions. The important thing, however, is that we not only trust them, but supervise them. We trust but verify, as the old diplomatic phrase goes. The verification comes from the commissioners, which were listed yesterday, with their explanations, which the right hon. Member for Knowsley (Mr Howarth) was talking about yesterday. The supervision also comes from the Minister, and ultimately and eventually from the House.
I am therefore reassured that the Bill is not a snoopers charter or a grubby attempt to procure the information of the private citizens of these islands. On the contrary, this is an extremely effective Bill. It has been through months of discussion, and hours of detailed and deliberate interrogation. It has satisfied the extremely demanding standards of the Chair of the Intelligence and Security Committee, and the exemplary work of the former Director of Public Prosecutions, the hon. and learned Member for Holborn and St Pancras, whom I am pleased to see on the Opposition Front Bench.
The Bill comes to the House as a nigh-on complete work. Even so, the Government have considered and accepted amendments and further changes. We have not only a final but a polished copy of a Bill that is designed to do exactly what this country vitally needs. It does exactly what the Government are here to do. It keeps the people of these islands safe, whatever their background, origins, occupation or duties.
Fundamentally, it also protects the freedoms that we enjoy. Those freedoms are not, as the Americans put it, free. They are fought for every day, by the people on the list in schedule 4 that I have identified—our armed forces and our intelligence services. That is why I am so proud to be here today to speak up for the intelligence services who have asked for those powers; for the armed forces who require them; for the police who use them; and most importantly for the Government and, in this case, the official Opposition, who have so carefully crafted a legal document that will hold water today and for long into the future.
The hon. and learned Lady raises a relevant point. The Bill has not been amended, but we received sufficient assurances from the Government that the way in which the system would be operated, in terms of the internal workings of the agency, would be such as to meet the concerns we expressed. Indeed, the Solicitor General or the Minister may be in a position to confirm that. On that basis, despite the fact that we raised the point, we did not table an amendment on it. The hon. and learned Lady is quite right to pick it up. I have not wanted to detain the House for too long, otherwise I could take her through a list of areas on which, having had further discussion, we decided amendments were not required. She is right to focus on that and I hope very much the Minister is able to provide some confirmation. I am grateful to her for having raised it.
Along with my hon. and learned Friend the Member for Edinburgh South West (Joanna Cherry), I represented the SNP in Committee. I am grateful for the opportunity to take part on Report.
I have many concerns about the Bill, and my hon. Friends have already outlined a number of areas where the SNP is sceptical about the Government’s case. This is a wide-ranging and complex Bill and time constraints prevent me from speaking to everything I would like to. However, I will focus my contribution on communications data and internet connection records. The measures in the Bill are not limited to internet access, email or telephony and include, explicitly, communication without human intervention. As it stands, the definition of communications data can tell us an awful lot about someone’s life. Stewart Baker, former senior counsel to the NSA in the United States, states that the content of a person’s communications data is redundant when we consider the amount of metadata that is already collected.
Communications data can be key in obtaining leads, solving crimes or preventing crime. However, I have a real issue with the length of the list of public bodies that would be able to access such personal and sensitive information on an individual without sufficient oversight in place. As we heard at the end of the previous debate and again at the start of this debate, from the hon. Member for Stevenage (Stephen McPartland), schedule 4 currently provides for a list of bodies that would be able to access retained data, including a range of regulatory bodies. Among them are the Food Standards Agency, the Gambling Commission, the Office of Communications, and the Health and Safety Executive. No fewer than 47 bodies are listed, a reflection of the tightly drawn nature of the Bill—or otherwise. That suggests that access to communications data may be granted for a range of purposes, which will almost certainly be disproportionate and inconsistent with the guidance offered by the European Court of Human Rights.
It is only appropriate that the correct level of protection and oversight is in place. The SNP tabled amendments 320 to 327 and 328 to 350 to ensure sufficient judicial oversight. The relevant public bodies must seek a warrant from a judicial commissioner, replacing the Secretary of State in the process where necessary. They also ensure that a threshold of reasonable suspicion would be necessary before a warrant is issued.
The arguments on judicial warrantry have already been rehearsed at length and I do not intend to detain the House long on this issue, particularly as my hon. and learned Friend the Member for Edinburgh South West speaks with a lot more authority on that subject than I do. Suffice it to say, I think hon. Members should pause and reflect on the lack of oversight. Decisions concerning necessity and proportionality can only be made properly by someone who is truly independent from the operations of the organisation.
Clause 54 contains the first mention of internet connection records. Subsection (6) defines ICRs in such general terms as to render the definition pointless. In that regard, I welcome some of the comments from the shadow Home Secretary and the Minister in their courting across the Dispatch Box a little earlier.
The point about the arm’s- length retention gets to the heart of the matter. The concerns expressed by the Opposition Front-Bench team all surround the question of a threshold, but the threshold will never be of any significance to those out there waiting to hack into this information, as we have seen only too clearly with the recent experience of TalkTalk.
I could not agree more with the right hon. Gentleman. I will come to that point shortly.
The question of who retains the information is secondary to the fact that it will be retained and accessible in the first place. The Government have, true to form, merely contracted out data retention to the private sector. Many people share unease about the security of this information. As we have seen recently, private providers are susceptible to sophisticated hacking operations. The consequences, should this information get into criminal hands, are deeply worrying. Indeed, the Joint Committee on the Draft Communications Data Bill shared similar concerns when it said that storing weblog data, however securely, carried the risk that it might be hacked into or fall accidently into the wrong hands.
I am listening carefully to what the hon. Gentleman is saying, and he is obviously aiming some of his comments in Labour’s direction. In a world where people are making fewer voice telephone calls—and if he is proposing that he would not want to collect this data—how would he propose the authorities go about locating a missing child in the early hours after the disappearance?
Order. I wish to say, before the hon. Gentleman develops his case, that although I absolutely understand that he speaks for his party from the Front Bench and is entitled to develop his case, I would gently point out that another seven Members wish to contribute, several of whom sat on the Committee, and I most certainly wish to include the Chair of the Joint Committee on Human Rights. It is not a criticism, but I am sure he will tailor his contribution to take account of that fact.
The answer to the right hon. Gentleman, who has considerable experience in these matters, not least from when he was on the other side of the fence, as a very senior Whip, is that it is always open to the Government to table an alternative programme motion. That is not a matter for the Chair. The amendments were, of course, all on the paper at the point at which the House agreed the programme motion.
I ought just to say for the avoidance of doubt that the hon. Gentleman who has the floor is not in any way being criticised; I simply wanted to make him aware of the level of demand. I think we ought now to proceed. I would happily sit here all night for colleagues to debate these matters, but I rather doubt there would be the same enthusiasm among Government Whips for such a proposition.
Thank you very much, Mr Speaker; I have almost forgotten what the intervention was—[Interruption.] I do not doubt that, but to answer it, we do not know what ICRs are at the moment. They are not clearly defined—the shadow Home Secretary made that point himself earlier; nor do we know how effective they will be. People in the industry tell me that current technology, such as Tor, virtual private networks and what have you, may render them useless. We do not know what ICRs are at the moment, so I have to be honest with the shadow Home Secretary: I do not have all the answers.
My hon. Friend sat on the Bill Committee with me and will remember that we heard evidence that if, for example, he wanted to see whether a missing child had been on Facebook, all that the internet connection record would show was whether they had been on Facebook, not whom they had been in contact with. Does he therefore agree that the utility of internet connection records for tracing missing children, which we all recognise is of the utmost importance, is perhaps being rather overblown?
I wholeheartedly agree with my hon. and learned Friend.
Before I was intervened on the first time, I was saying that the Joint Committee on the draft Communications Data Bill said that
“storing web log data, however securely, carries the possible risk that it may be hacked into or may fall accidentally into the wrong hands, and that, if this were to happen, potentially damaging inferences about people’s interests or activities could be drawn.”
It is clear that the intelligence services and the police need powers that befit the digital age in order to keep us safe and to catch perpetrators. However, when seeking to introduce powers as intrusive such as ICRs, it is incumbent on the Government to ensure that their case is watertight. As my hon. and learned Friend said in Committee, we very much hope to be an independent country writing our own security policy, so we do not take our opposition to such measures lightly.
In drafting such a proposition, with such a loose definition, the Government are asking us all to trust them and to sign a blank cheque to allow the wide use of such powers without knowing what their full impact, costs or consequences will be. The Home Office has said that companies will be reimbursed for the additional costs placed on them, but that commitment does not appear in the Bill. The Government have earmarked £175 million to reimburse companies for the costs of meeting their new responsibilities. However, most in the sector believe that is a vast underestimation of what the true costs will eventually amount to. Owing to uncertainty about the extent and definition of ICRs and the extension of communication service providers that will be affected by the proposed provision, the cost is difficult to estimate, but industry figures have told me that they expect it to be anywhere between £1 billion and £3 billion.
I appreciate that the Minister, in a letter to the Committee, reiterated the Government’s intention to bear the cost of implementation, but without clearer information we cannot expect Parliament to sign a blank cheque. Between £175 million and £3 billion is a rather large range, and at a time when disabled people are losing benefits and the WASPI women cannot get the pension they were promised, this seems a rather anomalous and large black hole in potential Government spending. I have said in the past that the Government know the cost of everything and the value of nothing, but in this case they do not even know the cost.
This is a global problem and as such requires a global solution, and it is important that we reflect on what other countries have done to address the issue and that we learn any lessons from their experiences. It is unfortunate, therefore, that a similar scheme of logging data in Denmark has recently been abandoned. That scheme operated for seven years, and although I accept that there were differences in that scheme, there were many similarities. Upon its abandonment, the Danish security services expressed their view about the difficulty of being able to make proper and effective use of the large amount of data that had been gathered. It seems that, instead of spending their valuable time locating criminals, the security services will spend most of it working on spreadsheets and filtering out the useless from the useful. It should be noted that the Danish ICR model was proving too expensive and the cost spiralled out of control, that Australia considered the proposal but decided not to pursue it, and that, as we have heard, the United States is rescinding many of its intrusive powers and moving in the opposite direction.
It is for those reasons that we believe the case for ICRs has simply not been made. The Government have failed to convince us, and those working in the industry, that ICRs are necessary, proportionate and in accordance with the law. We tabled an amendment to remove them from the Bill, but it was not accepted, which leaves us no option but to vote against the Bill in its entirety. That is not a step that we take lightly, but, ultimately, it is a necessary step.
In the event that we are unsuccessful in bringing down the Bill, we will still attempt to ameliorate aspects of it in order to protect smaller companies, especially those that supply lifeline and low-profit services to rural communities. New clause 26, which I tabled along with SNP colleagues, would exclude the providers of rural or community access communication services and small service providers from the obligation to collect and retain data. I have mentioned the deep concern in the sector about the expense that the Bill will impose on industry. I am sure that the Government will not want to put any businesses in a perilous situation, particularly those that operate with smaller cash flows and tighter margins in rural Scotland in order to provide a vital service for their local communities.
The Committee was provided with written evidence stating that smaller internet service providers were still subject to the same demands as the much larger organisations that operate on the world stage. Organisations such as HUBS are supplying vital internet connections to some of the most remote communities. If the Government railroad these clauses through the House without proper regard for the impact they will have, they will seriously endanger those small businesses and restrict internet use for some of our rural communities.
I am afraid not, because I do not have time. Plenty of other Members want to speak.
You will pleased to hear, Mr Speaker, that I am nearing the end of my speech. [Hon. Members: “Hear, hear.”] Thank you.
We live in a digital age. I therefore welcome the Government’s proposed digital economy Bill, and, indeed, the Chancellor’s commitment to match the Scottish Government’s commitment to universal broadband provision. The digital economy Bill is intended to make the United Kingdom a world leader in digital provision. However, according to many in the industry, this Bill will completely undermine that goal before the draft Bill has even been printed.
It is only right and proper for the Government to consider and propose new powers that our security agencies can use to keep us safe, but in many parts of the Bill the Government fail to make the case that the powers they want to introduce will be effective, are necessary, are in line with our right to privacy, and cannot be challenged in the courts. It is for those reasons that the SNP are still unconvinced of the merits of the Bill, and will vote against its Third Reading later this evening.
I rise to support new clause 19, which stands in my name. It is a scoping amendment, which I do not intend to press. A large number of amendments have been tabled so I will be extremely brief, but I want to pay tribute to my hon. and learned Friend the Solicitor General, who has been incredibly receptive to the concerns that I have raised throughout this process.
We all remember the examples of local authorities using powers inappropriately, whether that has involved rummaging through our bins or spying on paper boys to determine whether they have the right to work. I welcome the steps that the Government have taken to try to address that, including the creation of a new criminal penalty for the misuse of these powers. However, I believe that more needs to be done to ensure that the wider public can be confident that we will not see a repeat of history, and will not see councils misusing the powers in the future.
New clause 19 would introduce a requirement that when a judicial commissioner approves an authorisation for telecommunications data for a designated senior officer of a local authority, that senior officer must notify his or her chief executive before the authorisation has taken effect. I believe that that will help for two reasons. It will discourage over-zealous officers from applying for authorisations if they know that their chief executives will see those authorisations before they take effect, and, in the event that a council officer is found to have misused the powers, the chief executive will be accountable. Chief executives will never be able to say that they did not know what was happening in their authorities.