Investigatory Powers Bill (Second sitting) Debate

Full Debate: Read Full Debate
Department: Home Office
Thursday 24th March 2016

(8 years, 8 months ago)

Public Bill Committees
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
Gavin Newlands Portrait Gavin Newlands (Paisley and Renfrewshire North) (SNP)
- Hansard - -

Q This is a quick follow-up to a question Mr Starmer asked earlier about ICRs as they relate specifically to mobile devices. The example that he gave involved a football app, but let us use Facebook as an example, as it may be of use in investigations. Facebook and apps like it have lots of background processes that generate thousands of ICRs. Is there any way of ascertaining whether an ICR is created manually or automatically by the app?

Mark Hughes: I think there is a principle here. Again, it is enshrined in the Bill to a certain extent, but I make the point now. The organisation that holds the data closest to source is the one that should be subject to the powers. That is the one that should be retaining and having to disclose data under the Bill as it stands. For example, you mentioned Facebook. If Facebook has those data, they are the ones you would have to ask about how they would go about retaining and disclosing it.

Gavin Newlands Portrait Gavin Newlands
- Hansard - -

Q I understand that, but would it be technically possible to understand whether somebody has pressed a button to create that record or whether the app has done it?

Mark Hughes: I would have to look specifically at the details around it. If it generated an internet connection record that was a website visit, for example, that might be something that we retained, but it would be very difficult for me to comment specifically on that without knowing the exact details. It depends on the engineering of the services and networks, but in principle, if Facebook had that data, then they are the ones that should be subject to the law. We are considering whether to propose an amendment to the Home Office on the third party data question, which is the case in point here, and how that should be approached. We think that the principle is that other providers who have that data are the ones who should be subject to it, and that it should be explicit in the Bill.

Gavin Newlands Portrait Gavin Newlands
- Hansard - -

Q So at the moment the Bill is not clear enough on that aspect?

Mark Hughes: It could be clearer, and we are thinking about proposing an amendment specifically to over-the-top providers, making it clear that they are responsible for that.

Keir Starmer Portrait Keir Starmer
- Hansard - - - Excerpts

Q Can I come back to the question of what constitutes an internet connection record? It is the record that you may be responsible for keeping and passing over, so it is important that you have clarity. I take it from your previous answers that you have said some of it will be data that you are already collecting for your own purposes, and some of it will be other data that you are not currently retaining but will retain as a result of the Act. What are the data you are currently retaining? What is the bit that you keep already?

Mark Hughes: I gave an account number as an example. We obviously know our customers’ account numbers, so that is something that we currently have, and we have other types of information, as I went through, which are potentially subject to other pieces of legislation on retaining data. The point about the internet connection record is that it is rather like a series of ingredients, which you have to put together to create the record.

--- Later in debate ---
Victoria Atkins Portrait Victoria Atkins
- Hansard - - - Excerpts

Q So in those two areas—counter-terrorism and serious organised crime—this legislation could help not just our country, but our neighbours overseas as well.

Richard Berry: Yes, absolutely. From experience, I was involved in running a national operation on human trafficking, and we basically created a dataset from a significant amount of intelligence gained during that national operation over six months. It went straight into the analytical work files within Europol and we were able to map organised criminality right the way back to mainland China in some cases. The added value point, which is what you are making, very much comes from that sharing.

Simon Grunwell: Can I just add to that? A significant thread for us is organised tobacco smuggling, which is international by default. So it can only help.

Gavin Newlands Portrait Gavin Newlands
- Hansard - -

Q Just a follow-up to a question asked in the last panel about ICRs as they relate to mobile devices and third-party apps. You brought up easyJet earlier, and I have got an easyJet app on my phone. As far as I am aware, it creates a lot of ICRs as defined in the Bill. There is no way to differentiate between an ICR that is created manually or automatically by a third-party app. How would that limit the operational effectiveness of ICRs for you?

Chris Farrimond: To go back to my previous answer on this point, from your mobile record—the ICR from that—we would require your provider, Vodafone or whoever, to help us to understand which flight provider you were using. If they came back to us and said, “One of the domain names is easyJet”, we would say, “Thank you very much.” That is what we would expect from Vodafone. We would then go to easyJet and say—with the right authority signed off, obviously, and with the proportionality, necessity and everything that goes with that—“Can you tell us about his travel plans?” They would, hopefully, be able to do precisely that with the data that they hold on their flight details. But as for the actual app, all that we would look for from your provider would be to tell us that you have been making use of easyJet, and that would give us the next point in our investigation.

Gavin Newlands Portrait Gavin Newlands
- Hansard - -

I might not have used easyJet for several months, but the app still connects my phone to easyJet’s service provider. Likewise, I have a British Airways app. None of that limits any effectiveness for you?

Chris Farrimond: What I would expect to get is something showing you connected to easyJet for two minutes rather than for a nanosecond, or for an upgrade coming through. If we saw two minutes, we would say, “He did something with easyJet at that point.”

Richard Berry: Things like the tracking cookies you have on normal websites are not relevant information for our purposes. To offer a point of reassurance, we have a decade of experience of looking at what relevant data should be retained. ICRs are no different to that principle. Prior to any retention notice being served on a particular provider, law enforcement, the Home Office and the provider will be looking at the operational benefit, the cost and the technical feasibility of what data they hold and what data we would use. It almost takes each provider on a case-by-case basis to ensure we are gathering only relevant information. We could see those feeds back—the little connections you are talking about—being ruled out of the data we need to retain.

Keir Starmer Portrait Keir Starmer
- Hansard - - - Excerpts

Q May I go back to the definition of internet connection record? To take it in stages, you are obviously concerned about your ability to deal with serious crime and the visibility of what you can do; I completely understand that. You make an ask of the Home Office, which as you said, is basically, “Who? When? Where? How?” That is where you think you need to go next, to maintain the ability you have now, because of the different ways people are communicating.

From that, you said, “Well, therefore The Guardian is enough for us, not that someone went to a page on Libya or clicked on something about Libya bombings, because that is not within our ask.” My difficulty is not to challenge why you want that, what you use it for or its utility. I just cannot see how the definition in the Bill is limited to your ask; in other words, it appears to go as far as you want to go.

Tell me if this is an unfair question, because it is about the words on the page, but which bit of the definition you understand to be the word or words that limit it to what you say you are asking for, rather than letting it go any further? At the moment, I cannot see that bit of the jigsaw. In other words, which is the trigger word in the definition of internet connection record that says The Guardian website but not “within The Guardian, the words ‘Libya’ or ‘bomb’” or whatever it may be that means we cannot go beyond what you have asked for?

Chris Farrimond: It is a bit difficult for us, because as law enforcement officials, we have no hand in writing the Bill.