Read Bill Ministerial Extracts
Investigatory Powers (Amendment) Bill [Lords] Debate
Full Debate: Read Full DebateJeremy Wright
Main Page: Jeremy Wright (Conservative - Kenilworth and Southam)Department Debates - View all Jeremy Wright's debates with the Home Office
(9 months, 2 weeks ago)
Commons ChamberLet me say first of all that I am in favour of the Bill, which I think constitutes a sensible updating of the intelligence community’s powers in the ways that the Home Secretary and, indeed, the shadow Home Secretary have described. I am also in favour of the principle, mentioned by the shadow Home Secretary, that greater powers for the intelligence agencies should come with greater oversight of those powers.
I know that my colleagues in the Intelligence and Security Committee will want to focus on certain areas covered by the Bill. I want to focus my remarks on internet connection records, which are, of course, important pieces of intelligence. We are talking here about which internet sites were accessed and when, not about precisely what was viewed or what activity was carried out, but none the less this data can be of significant intelligence value. The Investigatory Powers Act 2016 allows for the obtaining of internet connection records data in certain circumstances. The circumstances on which I want to concentrate are those in which an intelligence agency is focused on the use of a particular internet service at a particular time and is keen to know the identity of the person or persons who have been using it at that time. This is covered by section 62 of the Act, which gives authority for an intelligence agency to obtain that information. The Bill seeks to broaden an agency’s power to act in those circumstances.
The law currently requires the agency to know specifically which service has been used, and specifically at which time it was used. Clause 15 seeks to extend that to allow the collection of ICR data to identify individuals using “one or more” specified internet services “in a specified period”. What that means, at least as the Bill is currently drafted, is that there is no apparent limit on the number of internet services that can be specified or on the length of the specified period, so the clause could allow an intelligence agency to collect ICR data on a large number of different internet services, and over a long period. That would inevitably involve data on the activities of a potentially large number of people, whereas the current law permits only examination of a specific service at a specific time, which carries much less risk of other wholly innocent and uninvolved individuals being caught in the net.
I do not suggest—and neither, I think, does the Intelligence and Security Committee—that the intelligence agencies do not need these wider powers. We do say, however, that this is a significant widening of their powers, and that it should therefore come with additional scrutiny from a judicial commissioner. I think we can deduce, not just from the debate in the other place, but from what the Home Secretary has said in this House and what other Ministers have said at other times, that the Government essentially have two arguments in response to that. The first is that this new power is not intrusive enough to merit extra oversight, as ICR data relating to those not subject to agency interest is not retained, and the second is that the power being proposed is no more intrusive than current powers to collect internet connection data.
On the first of those arguments, the fact that data is not retained does not mean that it is not intrusive to collect it. Many of our constituents would be concerned about their internet activity being scrutinised, even if no action were taken thereafter—and we should bear in mind that the Bill’s language does not limit that scrutiny to sites visited which are inherently suspicious. Even everyday online activity may be of interest in the case of individuals of concern, but this provision would mean that the everyday online activity of many who are not of concern will also be examined. That, we say, makes the provision worthy of additional oversight.
The second argument the Government might advance is that this is no more intrusive than current powers. That, I think, is true in terms of the depth of the intrusion—it is still the “when” and “where” of internet activity rather than the “what” that we are talking about—but it is not true in terms of its breadth. Many more people will be caught by it, and that is a significant and material increase in intrusion for the population at large. We therefore believe that the Government should think again, not about whether intelligence agencies should have these wider powers, but about whether there should be the involvement of external scrutiny to ensure that they are used properly.
There is only one other matter that I want to touch on briefly, and it has been mentioned already: the grounds on which powers such as these can be used. There are, essentially, three. First, they can be used in the interests of national security, and I have no argument with that. Secondly, they can be used in urgent cases to combat some forms of criminality. Thirdly, they can be used in the interests of the economic wellbeing of the UK, in so far as those interests are also relevant to national security. As the House knows, the last of those has long been controversial as an appropriate ground for action—and, of course, the more intrusive the powers that can be used with that justification, the more controversial it is. I think it fair to say that the ISC is concerned about its use in that regard, and I am sure the House will want to consider, as the Bill proceeds, whether its application to these powers and more generally is still appropriate.
I think we may be conflating different aspects of the Bill. I do believe that this already has oversight.
Let me answer the point raised by my hon. Friend the Member for Broxbourne, which touches on a similar area. Where people have the right to and expectation of privacy and freedom, this provision does not remove that right. What it does is allow the intelligence agencies to use bulk data to target an individual at a particular point, and the excess collected information will not be able to be used for targeting an individual without the warrant process that would be expected for any initial search. In that sense, this is not undermining anybody’s privacy; it is allowing for the fact that information is now largely in bulk format. The hon. Member for Barnsley Central was talking about steaming open envelopes. It is impossible to steam open a single envelope today; one has to steam open thousands because that is how data comes. Without an amendment such as that set out in the Bill, we would simply be interrupting the work of the intelligence services to the degree that it would hold them back and make the process harder, but I would be happy to take this up with my hon. Friend the Member for Broxbourne later if he wishes.
I thank the hon. Member for Halifax (Holly Lynch), who was here earlier and made an interesting point about the various ways in which the memorandum of understanding should be looked at through the National Security Act 2023. Friends of mine will know my thoughts on that and know that I gave the Conservative party the chance to allow me to change that 10-year absence, but the Conservative party chose somebody else to make that decision so I have sadly lost the ability to have that influence.
My right hon. and learned Friend the Member for Kenilworth and Southam (Sir Jeremy Wright) made a typically insightful speech and typically sensible comments on the ways in which we must consider how the authorisation must not be used to mount general surveillance. Condition D will be used only when an applicant makes a clear and compelling case, based on tangible, reliable intelligence leads, information and analysis, that the resulting data will identify parties involved in a relevant serious crime or national security-related specified operation or investigation. The applicant must explain any anticipated collateral intrusion, and how this will be managed to ensure that the application is necessary and proportionate to the outcomes of the investigation.
I accept what my right hon. Friend says but, in the context I described, the case is being made to someone else within the intelligence agency. There are, of course, two types of authorisation—D1 and D2—and we are worried about D2, under which the application is made from inside the intelligence agency to inside the intelligence agency. That does not present the sort of external scrutiny that we suggest is necessary.
Investigatory Powers (Amendment)Bill [Lords] Debate
Full Debate: Read Full DebateJeremy Wright
Main Page: Jeremy Wright (Conservative - Kenilworth and Southam)Department Debates - View all Jeremy Wright's debates with the Home Office
(8 months, 1 week ago)
Commons ChamberI would not have thought that the right hon. Gentleman could be seen as hardline on anything, pussycat that he normally is. He portrays himself as hardline, but I know from working with him very closely on the ISC that he cares about this information. He has referred to the Investigatory Powers Act as his baby. It has grown up a little bit and is now being brought into the modern age. I should put on the record again his dedication and work as a Minister to bring in the original Act, which was groundbreaking for this country. It has stood the test of time. We know that we will be back here, so the measures will change. I have no problem with that. It is just that, as technology changes, things will change.
May I finish by thanking the members of our security services for the work that they do? I also thank them for the way that they have engaged with the ISC on the Bill. Hopefully, with the changes that have been brought forward, we can reach agreement on the Bill and our security services will have the ability to face up to the challenge that is coming forward: the ever growing use of larger datasets, and the more sophisticated way in which state actors and non-state actors have access to technology. That will enable the security services to do what we all want to do, which is to keep individual citizens and, just as importantly, our democracy safe.
It is a pleasure to follow the right hon. Member for North Durham (Mr Jones), who is a fellow member of the Intelligence and Security Committee. As he mentioned, we work collegiately, and one of the many advantages of that collegiate approach is that I do not need to repeat everything that he has just said; I need only say that I agree with him. I realise that that is a radical approach in this place, but I will not say it all again. I will simply say that I agree with him; he is absolutely right. His point is that, when it comes to the consideration of warrants to authorise the interception of, or interference with, the communications of Members of Parliament, there is huge significance to such a decision. That is the reason the Prime Minister has had to be involved in it, and it is the reason we should not widen too far the pool of deputies who, for sensible and understandable reasons, as the right hon. Member explained, we now need to provide for.
That is why I hope that the next concession that the Minister will make will relate to the pool of deputies, and that in the language the ISC suggests that he adopts we ensure that it is a controlled group, based on either current responsibilities or previous experience. I am sure that we can discuss with him any changes to the wording that he thinks are necessary, but as the right hon. Member for North Durham explained, the current provisions allow for only one restriction: that the member of the Cabinet in question should receive a briefing on how to conduct their warrantry responsibilities. We do not think that that is restrictive enough, given the significance of this decision-making process. I am grateful to the Minister for what he has already said about notification of the Prime Minister in the process. That is a sensible change, which I welcome.
It is a pleasure to follow the right hon. and learned Member for Kenilworth and Southam (Sir Jeremy Wright), and to take part in what has already been a very thoughtful debate. We also had a very constructive Committee stage, so the amendments in my name and that of my hon. Friend the Member for Midlothian (Owen Thompson) are designed first to pose some further questions to the Minister, particularly in relation to the offence of unlawfully obtaining communications data, which we discussed in Committee. Secondly, and perhaps more significantly, we again seek to remedy some of the serious concerns that we continue to have about the Bill extending powers beyond what we regard as necessary and proportionate, and the absence of sufficient judicial oversight where such judicial oversight is really required.
First, and briefly, our amendment 13 builds on the discussion in Committee about the offence created by the 2016 Act that will be amended by clause 12. We argued in Committee that the so-called example of “lawful authority” for obtaining communications data in proposed new subsection (3A)(e) of the 2016 Act was an extension of the power rather than a restatement of it. The Minister countered that he was actually seeking only to put existing codes of practice into statute. There is obviously a line of argument that codes of practice do not always necessarily comply with the law, but having gone away to look at the codes of practice it seems that there is a difference between what is currently in the codes of practice and what is currently in the Bill. The wording of amendment 13 reflects the code; the wording of proposed new paragraph (e) seems potentially broader than that. The question for the Minister is why the wording is so different, and whether he can assure us that it is not meant to be interpreted any more broadly than the existing exception in the codes of practice.
The remaining amendments set out our more fundamental concerns with the Bill. In particular, there are three areas where we question the strength of the oversight regime: in relation to bulk personal datasets, internet connection records, and Government notices to companies under clause 21. We regard advanced judicial oversight as important and reassuring not just for members of the public but for those who are exercising the powers. Clause 2 on bulk personal datasets is the first example of where we believe that oversight is being unnecessarily watered down. We are told that the system of advanced judicial authorisation is causing delays and stifling operational flexibility, but to us the answer is to fix those logjams in the oversight system, not to water that system of oversight down. The case for a lighter-touch system of category authorisations has not been made to our satisfaction. That is why we tabled amendment 7, which would take out clause 2.
At the very minimum, why not strengthen the ex post facto oversight beyond annual reviews and reports? Amendment 11 highlights one way to do that, so that the judicial commissioners are reviewing whether what is being done under category authorisations is lawful, cancelling authorisations where that is not found to be the case, and ensuring therefore that we have a clear picture of how the new powers are being used. I noted with interest what the Minister said about the role of IPCO, which we absolutely regard as helpful. However, it would be insufficient, and certainly less robust than our proposal in amendment 11.
As the hon. Gentleman set out, amendment 11 would strengthen the hand of the judicial commissioner, and I have some sympathy with that. My concern is that his proposed new subsection (4) says:
“The Judicial Commissioner, on reviewing any notifications received under subsection (2), must cancel the category authorisation if the Commissioner considers that section 226A no longer applies to any dataset that falls within the category of datasets”.
I wonder why he thinks that the wrongful inclusion of one individual dataset in the category would invalidate the category as a whole, because that seems to me to be the effect of what that part of his amendment would do.
I am grateful to the right hon. and learned Member for that intervention. He possibly makes a fair point. If I recall correctly, the wording of that proposed new subsection was borrowed from another part of the Bill. I might be wrong about that; I need to go away and have a look. I suppose the argument would simply be that if a category authorisation is to any extent being abused, it is right that the category authorisation is cancelled, and if somebody wants to come back with something similar, they can do so. However, I am not without sympathy to his point. I take it in the spirit in which it was intended, and will reflect upon it.
Let me move on from the question of oversight in relation to bulk personal datasets to the issue of “no” or “low” expectations of privacy in relation to such datasets, and how that test will operate in practice. Throughout the passage of the Bill, we have been repeatedly given some very easy examples of so-called “low/no” bulk personal datasets. For example, we have spoken about phone books, academic papers, public and official records, and other data that many people would have access to routinely. It was helpful that, in relation to what is now our amendment 9, the Minister said in Committee that Facebook posts and CCTV pictures would be considered sensitive and would not be caught by these provisions. It is very helpful to have that on the record.
None the less, it would to be useful to have greater precision in the Bill. Amendment 8 would take out reference to “low” expectations of privacy altogether, so that only “no” expectations would be covered by the new provisions. To us, “low” is such a difficult question to adjudicate—low expectations in particular. That is especially the case when we are dealing with datasets of potentially huge numbers of very different people with very different reasons for having very different expectations of privacy, particularly in how that would relate to different organisations. We cannot think of a single dataset example provided during the passage of the Bill that would not be adequately covered by “no reasonable expectation of privacy”. If that is the case, if that is really all the Bill will be used for, why not just accept the amendment? It would be useful to have an understanding of what “low” expectation of privacy is designed to cover.
Amendment 15 brings us to internet connection records. In 2016, the Government emphasised the very targeted nature of the ICR powers, but here we are being asked to incrementally expand those powers so that they are slightly less targeted. To us, that means that the independent assessment of proportionality and necessity is pivotal, so we think that it should be subject to advance judicial oversight. Even the explanatory notes accept that there are difficulties in formulating sufficiently targeted queries, noting that
“such queries are highly susceptible to imprecise construction”
and that “additional safeguards” are required.
For us, the required additional safeguard is judicial oversight. We were led to believe that the powers would be used only exceptionally, so it is hard to see how a judicial authorisation requirement would cause any significant problem. The Government argue that there may be times when warrants are needed on an emergency basis, but that could be dealt with by having emergency processes or very limited exceptions—it is not an argument against a general rule of advance judicial oversight.
I turn to the impact on technology companies of the Bill’s various provisions relating to notices—although the right hon. and learned Member for Kenilworth and Southam probably made more sensible and eloquent points than those I am about to make. The written evidence that the Bill Committee received shows that tech companies, academics and human rights and privacy campaigners are still a million miles away from the Government in their understanding of how the provisions will work and of the impact that they will have on products and services. Apple wrote to the Committee that these provisions
“would dramatically disrupt the global market for security technologies, putting users in the UK and around the world at greater risk.”
It is frustrating and disappointing that we did not have the opportunity to explore those differences in detail through witness testimony. The Minister did his best to reassure us, and he made some important arguments about extraterritoriality and conflicts of laws, but given the serious concerns that have been raised, it is worth again asking the Minister to explain why those witnesses are wrong and he is correct. In particular, the Government’s explanation that the new pre-notification requirement in clause 21 is
“not intended as an approval mechanism”
has not dampened concerns. Apple argued in evidence to the Committee that
“Once a company is compelled to provide notice of a new security technology to the SoS, the SoS can immediately seek a Technical Capability Notice to block the technology.”
Other provisions in the Bill around maintaining the status quo during notice review periods work in tandem with these provisions to deliver what Apple and others see as a de facto block on adoption of new technology—that is the risk that they are highlighting, and it is what the Minister must address in his speech. It is why we have tabled amendments to take out some of those provisions. It is also why we have tabled amendment 19: an alternative that would introduce advance judicial oversight and, hopefully, a degree of reassurance that the new notification notice regime under clause 21 will not deliver the unintended effects that many fear.
Finally, I put on the record our support for the amendments tabled by members of the Intelligence and Security Committee, whose work on the Bill has been as helpful as ever—I congratulate them on their one-and-a-half victories so far. As is often the case when it comes to Bills of this type, we also put on record our support for several of the amendments tabled by the right hon. Member for Haltemprice and Howden (Sir David Davis), some of which are similar to amendments that we tabled in Committee, while others are similar to amendments that we supported during the passage of other Bills, including the National Security Act 2023. In particular, new clause 3, which is designed to place an absolute prohibition on the UK sharing intelligence with foreign Governments where there is a real risk of torture or cruel, inhuman or degrading treatment, is long overdue and would close a serious gap in the law. For us, that is self-evidently the right thing to do.
Right hon. and hon. Members will be delighted to hear that, having answered colleagues as we went along, I have only a few short words to conclude. [Hon. Members: “Hear, hear!”] I know how to keep them happy.
Amendments 3 to 6 to clause 14 concern the restoration of specified public authorities’ general information powers to secure the disclosure of communications data from a telecommunications operator by compulsion. I pay tribute and thanks to my right hon. Friend the Member for South Holland and The Deepings (Sir John Hayes). I hope that Members will have noticed that I have listened carefully to Members across the House, and I believe that this Bill has been pulled together carefully alongside the Intelligence and Security Committee. It is a slight shame I cannot thank the right hon. Member for New Forest East (Sir Julian Lewis) in person, who is sadly at a funeral today. He has played an important role in contributing to and leading the engagement of which I have had the advantage in preparing this Bill.
Let me quickly touch on one or two points. My right hon. and learned Friend the Member for Kenilworth and Southam (Sir Jeremy Wright) spoke about notices. It is important to note that the notices do not block innovation. They do not stop a technical patch or infringe on companies’ ability to update their systems. All they do is make sure that the existing level of access remains while that is being looked at. That is a reasonable element to ensure that the British people are kept safe by the British law enforcement authorities.
I understand what my right hon. Friend is saying, but the practical consequence of issuing such a notice is that the development of the product about which concern has been expressed has to stop. Therefore, the infringement on commercial liberty, in practice, is exactly what I have described, is it not?
If my right hon. and learned Friend will forgive me, I will be able discuss that in a more secure environment, but I can only say, “Not necessarily.” I will be able to describe why that is in a different environment, but I cannot do it here.
The reason for not accepting amendments 22 and 23 —I understand the points made by right hon. and hon. Friends and Members across the House—is that we are talking about a very limited number of people. One Secretary of State is already used to do the initial request. The second person on the triple lock is a judicial commissioner—a judge. The third therefore has to be one of the four Secretaries of State left. Therefore, it is important that we make sure that it is somebody in whom the Prime Minister has confidence. Given that we are about to have a new Government—I hope the new Conservative Government, but still a new one—it is entirely possible that there will be a new Cabinet and that the routine explanation will not be satisfactory. As routine duties do not have legal clarity, we will not use them.