Investigatory Powers Bill (Second sitting) Debate
Full Debate: Read Full DebateJoanna Cherry
Main Page: Joanna Cherry (Scottish National Party - Edinburgh South West)Department Debates - View all Joanna Cherry's debates with the Home Office
(8 years, 8 months ago)
Public Bill CommitteesQ Thank you, Mr Walker; it is a pleasure to serve under your chairmanship. Mr McClure, you have made some powerful points, so thank you very much indeed for giving your perspective on the IT, and as a bereaved relative. We all share your grief and anger about the atrocity.
Mr Wardle, I want to ask you about internet connection records, the new potential powers within the Bill and the purposes for which those records could be retained by an internet service provider. We know now that, as a result of the Joint Committee’s recommendations, there are four purposes for which those records could be retained for potential examination by the authorities. I think that they are very clearly set out: for the purposes of identifying who sent a communication; to establish what services either a suspect or a potential victim has been using; to establish whether or not a known suspect has been indulging in online criminality; and finally—the additional one—to identify services that a suspect has accessed, which could assist an investigation. If there was a narrowing of those purposes, what effect do you think that would have upon the authorities’ ability to investigate child abuse and related offences?
Alan Wardle: As I understand it, the previous draft Bill had a narrowing in the fourth one, and I appeared before the Joint Committee before Christmas to argue against that narrowing. I cannot remember the exact wording, but it was essentially where illegal activity was happening.
Again, I go back to the example of the grooming case I mentioned earlier. Grooming, by its very definition, takes place over a period of time. There are certain activities that you would want to investigate that are perfectly legal. Say a child has been trafficked across the country. Someone has hired a car, taken it from A to B and dropped it off, and they have gone on to the Travelodge website to book a hotel room. All of those are perfectly legitimate activities, but those activities—as part of a wider investigation—would be able to show the police that that person trafficked that child from A to B and that those activities took place. Clearly more would be needed, but the narrowing that was there before would, we believe, have unduly restricted the police’s ability to investigate those kind of crimes.
Q May I ask you some questions about internet connection records? Can you confirm that you have read the operational case for internet connection records referring to the case of Amy?
Alan Wardle: I do not think I have read that.
Q Would you agree with me that if a child goes missing, the first thing you want to do is to find out what social media or chat sites the child has been on?
Alan Wardle: Whether that is the first thing you want to do, it is certainly—
It would be a priority.
Alan Wardle: That would be something that the police would want to investigate pretty quickly.
Q Is not the easiest way to do that to ask their friends?
Alan Wardle: It could well be, depending on what has happened. In an ideal world, the child would keep all the evidence themselves and it would all be freely available in terms of the content, but things are deleted and friends are asked to keep quiet and so on, so it is not always necessarily available. If the child has been groomed, they may have been taken by someone they think is their boyfriend, away from their dreadful parents—they are running away.
Q Sometimes the child will take their phone with them and it will be switched off and be no use to us, but other times they will leave their phone behind and we can get into the phone and see which social media sites they have been on. Is that right?
Alan Wardle: I am not a police officer, but yes, I presume so.
Q Equally, if there is a computer at home, the police can access the computer with the parents’ permission and see what social media sites the child has been on?
Alan Wardle: Yes, but three quarters of 12 to 15-year-olds have a mobile phone or tablet, so it is rarely the computer on the dining room table any more.
Q If we assume that the computer and the phone are not available, you could go to friends or siblings and find out what social media the child commonly uses. If, for example, the child commonly uses Facebook, the friend will be able to tell you what the child’s username is.
Alan Wardle: Well, the child’s username would be their real name because Facebook has a real name policy.
Q Indeed, and they will know what their friends’ names are. I do not really know how Bebo works, because I am too old, but if it is not a known name on Bebo, you are still able to get the username from the child’s friends.
Alan Wardle: I would imagine so, yes.
Q Does it not really boil down to this: wherever you get the information from—whether it is mum or dad or, more likely, mates at school—you have to go to Bebo or Facebook and ask for their help?
Alan Wardle: The social media companies clearly have a huge part to play in this as well. We challenge them regularly on all aspects of how they keep children safe online. What is important when the police are investigating such crimes is that they have every tool available to them that can legitimately be made available. Some will be traditional policing methods, such as asking their friends and knocking on doors, and some may be much more technical aspects, such as internet connection records.
Q But would you agree with me that what is important is to have effective tools?
Alan Wardle: Absolutely. One of the things we have challenged the internet companies on is that if those tools are available, they should be widely available. A good example is what is called PhotoDNA, which basically means that illegal images of children are hashed and can be removed across the internet. That is a really positive development. That technology was developed by Microsoft, but shared across all the big companies, which is a really positive thing.
We know that there are other technologies—anti-grooming technologies, for instance—that have been created, but have not been shared in that way. I think that there is an obligation on the companies—your Apples, your Facebooks and your Microsofts—to ensure that these kind of tools, with no real commercial gain to be made from them, should be freely available across the industry.
Q If we just go back to the example that I was pursuing, about the missing child, I think you agreed with me that it is important to have effective tools. Is it your understanding that all the internet connection record will tell you is what the missing child connected to? It will not tell you what the missing child did once they were connected.
Alan Wardle: No. That is the issue to do with content. Again, it could well be that that is part of a wider picture.
Q An internet connection record will only tell you to which service the child was connected, not whom they spoke with, nor what the content of their speaking was—
Alan Wardle: Not necessarily.
Q Whereas, if you go to the child’s friend and get the child’s username on the social media site, you will be able to get that information as to content.
Ray McClure: You would still need the child’s password to access the data.
Alan Wardle: That is not enough in and of itself. Yes, do you have the password? How would you get into it?
Q There has been a description of Tor as a facility that allows digital abuse of anonymous online activism. It is linked to encrypted information. I want you to say a bit about what effect encryption has on some of the work that you are involved with?
Alan Wardle: A lot of the activity that we take for granted online—shopping, banking and all the rest of it—could not be done without encryption, but of course, as with all these tools, encryption can be used for bad purposes by bad people. Similarly, with services like Tor and Freenet—the dark web—in the cases that we are concerned with, you get your most highly committed and dangerous offenders, quite often, particularly sharing very explicit images or videos of children being abused. Those services enable them to hide there. The police do the best they can, but, again, for a lot of that they will be dependent on traditional undercover techniques.
I think there is a question that is—I say this respectfully —beyond this Committee’s remit and beyond many of our remits. The direction of travel generally is that we are seeing greater moves to encrypt data as a matter of course, with things like Google Chrome browsers and so on. With browsers such as that, internet service providers cannot put in place the kind of protections they have, so they do not know what is going on there. That is a direction of travel and something that is worrying. It is clearly a global issue, but the police not being able to track what is going on due to increasing levels of encryption is a worry.
Q At the Joint Committee, Mr Hughes, you said that BT had never collected internet connection records before, that you would have to deploy new equipment to comply with the legislation and that that would come at a cost. That is correct, is it not?
Mark Hughes: That is correct, yes.
Q I understand from your answers to Keir that you are still working with the Home Office to agree the precise specification of what an ICR is. Is that right?
Mark Hughes: That is right, yes.
Q Are we to understand, then, that you have not as yet reached agreement with the Home Office about the specification of an ICR?
Mark Hughes: No. It is a work in progress. This is quite a truncated time frame, as you know. I characterise a lot of things that we are doing at the moment as “in parallel” as opposed to “in series”.
Where we are at the moment is that there has been extensive consultation with the Home Office around this. There are a number of different technical approaches to how you take those component parts that then constitute themselves as an internet connection record—for example, things like the rate of sampling that you use inside the networks. Of course, it depends on the type of service that we are talking about; there are technical differences between how those services and that information are then put together to create the internet connection record. That has a big difference in terms of the associated cost.
Q That is what I want to come on to. The Home Office has mentioned a figure of £170 million. Can you give us any indication of how much of that money British Telecom would need to build a system?
Mark Hughes: There is a spectrum. If the Home Office wanted us to collect everything and carry out a very high rate of sampling, meaning that a lot of information would potentially be available, BT—and EE; we recently bought EE, as you may know—would take the lion’s share of that figure alone, just in terms of our services.
However, we are in very frequent dialogue. Only in the last couple of days, we have been talking to the Home Office about the technical challenges associated with the trade-off between how much it will cost and how much data will be available. Clearly, if there is a different view in terms of the amount of data required, the cost may well be appropriate for the rest of the industry. It is difficult for me to comment on other operators.
Q We have covered potential costs of building the system. Can you give us a timescale?
Mark Hughes: Again, that is down to the detailed, technical implementation and testing to ensure that it would work properly. Some of the data sets that make up the ingredients of an internet connection record are something that we do retain for business purposes already—not necessarily for the length of time they are talking about—so depending again on the final technical solution we came at, and at what services it is targeted, it could take a few months and up to a year-plus to get a solution in place.
Q When you say a year-plus, how much on top of a year?
Mark Hughes: Again, depending on exactly what it is that we agree on with the Home Office that it wants, I think it is reasonable to suggest that we would have a service in place in a year.
Q Are you aware of what has happened in Denmark regarding the collection of internet connection records?
Mark Hughes: I am, yes.
Q On 17 March, the Danish Minister of Justice informed the Danish Parliament that the plans for a new internet connection records scheme had been put on hold. The reason given for the policy change was the substantial cost of ICR collection—the economic burden would be too high for the Danish telecoms industry. Were you aware of that?
Mark Hughes: I am aware of that. Under the proposals in the Bill—the Home Secretary has made reference to it—we would recover our costs from the Home Office, as we have done under existing legislation. We would like to see clearly articulated on the face of the Bill that 100% of our costs are to be recovered. That is very different from the Denmark situation. In Denmark, that is not the case; the burden is placed on the telecoms operators.
It is difficult for me to comment precisely on the Danish telecom operators because I am not one of them, but specifically here, as far as the UK is concerned, the proposed regime is more sensible as long as it is clear that we will recover 100% of our costs. We think it is important that that is on the face of the Bill—not just for the reason we said about Denmark, but also because more broadly in itself it provides a proportionality check, so you would not spend a huge amount of money to achieve little effect. If it is clear how much the public purse will have to bear of that, we think that in itself creates a proportionality check in terms of what activity is proposed.
Q Do you agree that we cannot compare what is proposed in the Bill with what was proposed in Denmark until you have got an agreed specification with the Home Office?
Mark Hughes: A pamphlet has been issued and we have been in discussion with the Home Office as recently as the last couple of days about this. More clarity is required, but broadly speaking there is a definition in the Bill, there are purposes in the Bill and we understand that there are options technically around it. We have been working that through with them, but yes we would like clarity as soon as we can.
Q Thank you, Mr Hughes, for coming, and thank you also for acknowledging the extent of the consultation with which you have been engaged with the Home Office. As a result of that, you will know that the codes of practice published at the time of the Bill reflect some of the arguments you have advanced previously and clarify some requirements.
Today you emphasised that as we move forward there will be ongoing discussion. How important do you therefore think it is to avoid rigidity by putting more on the face of the Bill rather than including that in codes of practice and in the ongoing discussions you described?
Mark Hughes: It is very important that we have words and definitions on the face of the Bill to deal with the really substantive points as far as this type of legislation is concerned—namely the level of intrusiveness, which is clearly where definitions help. A definition is only really a way of helping to establish the level of intrusiveness of the power that is being put in place.
There are needs to have something. One need, which I have said, is about ensuring that there is clarity around 100% cost recovery, for example. There is definitely a need for that and with 268 pages there is quite a lot in there. However, we also recognise that as technology changes—our world is an ever-changing one as we know, and that is the case specifically in our industry—there is need for flexibility of a discussion point around how consultation happens and how that manifests itself in a legal instrument for us to retain and disclose either content or other types of communication data.
It is a difficult balance to be had. I think there is a lot at the moment in the Bill that is very useful. There are purpose limitations, for example, which are very useful for us, as are, as I said already, the definitions.
The other point is that there does need to be flexibility in future about understanding how the new codes of practice will be formulated based on what was required, and the Bill is clear that the correct oversight is in place. That is a difference from the extant legislation. The consultation process is different from others there have been in the past, and we welcome that.
Thank you.
Joanna Cherry, if I give you six minutes—I gave Keir six minutes—you will know what you are working with.
Q Thank you, Mr Walker.
Mr Farrimond, are you aware that just last week the Danish Minister of Justice informed the Danish Parliament that plans for a new internet connection record scheme have been shelved in Denmark?
Chris Farrimond: Yes, I am.
Q Are you aware that the reason given for that was the substantial cost and the economic burden for the Danish telecom industry?
Chris Farrimond: Yes, I am aware of that too.
Q I want to change tack slightly and ask you about the police online Crimestoppers website. I am sure everyone agrees that it is a useful service.
Chris Farrimond: Yes.
Q I looked at it again this morning and it says that when you fill in their form and say you want to be anonymous, you are guaranteed anonymity. That is correct, isn’t it?
Chris Farrimond: Yes, it is.
Q But if we pass this Bill, that assurance will no longer be accurate. Isn’t that right?
Richard Berry: That is a technical observation, but I think the point is that, in terms of the collection of data and, more importantly, police access to or acquisition of that data, we are looking for stuff that is relevant and useful. So a line of inquiry or a justification for accessing the Crimestoppers website from my perspective could not be justified in terms of the necessity and proportionality tests required for giving that authority.
Q If we could reel back a little, if this Bill is passed, the purpose of internet connection records, we have been told, is to have a record of every device’s connection to every service. If anyone goes on to the Crimestoppers website and fills out the form, there will be a record of their connection to that service, so it is correct to say that their anonymity is no longer guaranteed. Is that not absolutely right?
Chris Farrimond: Where is that different from Crimestoppers? If someone phones in, they are guaranteed anonymity, but if we wanted to we could easily find out who made that call. We don’t because we guarantee anonymity. If we didn’t, no one would phone the number any more.
Q I am focusing on internet connection records. There may be other questions about communications data, but I want to clarify, because it may be very important to Members’ consideration of the Bill, that I am correct in saying that, if this Bill is passed as presently drafted, the assurance of anonymity on websites such as Crimestoppers will no longer be accurate because the purpose of internet connection records is to identify that A has used a particular device to connect to the internet service concerned.
Richard Berry: That is no different from the present situation with internet communications data. The fact that there is a freephone call number for Crimestoppers doesn’t mean that in technical terms that communication cannot be traced, but we just don’t do that because we guarantee anonymity. It wouldn’t be necessary and it wouldn’t be proportionate.
Q But when you use a phone to contact Crimestoppers, there is no tick box saying, “I want to be anonymous”, is there?
Richard Berry: There is an assumption. It is well advertised that Crimestoppers—
Q There is no tick box on a phone.
Richard Berry: Not that I am aware of. No.
Q But there is a tick box on the internet site saying, “I wish to remain anonymous.”
Richard Berry: That can remain.
That is there because we have discovered in police and law enforcement services, where I used to work as a Crown prosecutor, that if you guarantee people anonymity, you sometimes get more people to come forward.
Richard Berry: Absolutely.
So it is possible that, if this Bill is passed, we will actually dissuade people from reporting crime because we can no longer guarantee their anonymity.
Chris Farrimond: I am also responsible for covert human intelligence sources for informants. Of course, we know their identity, but we guarantee their anonymity. That is precisely what we do, although their identity is known within the agency. It is difficult to predict exactly how this could possibly impact, but if we are guaranteeing anonymity, that means we will not—
Q But we are not talking about CHIS; we are talking about ordinary members of the public, the sort of person who watches “Crimewatch UK” when it is on once a month, recognises one of the mug shots and goes on the website but is scared for their own safety and so wishes to remain anonymous. We need to be clear that that anonymity can no longer be guaranteed because all internet connection records will be collected. Is not that right?
Richard Berry: It would be guaranteed by law enforcement, because that is our operational policy. We would not access it. We do not retain the data, and nor could we access it, as a matter of policy.
But the fact is that the connection to a particular service from a particular computer will be recorded as an internet connection record and retained.
Richard Berry: In theory, that could be the case, but it would never be accessed. Lots of internet connection records would potentially be gathered, but we are very much about targeted inquiry, rather than bulk inquiry, so it would never pass the necessity and proportionality test.
That is an internal guarantee that you are giving us. There is nothing in the Bill to say that it would not be accessed, is there?
Richard Berry: Not that I have seen, no.
Q I will be mercifully brief. Given your very wide case experience, and the fact that an overwhelming number of serious crimes are now connected with both the technology and methods of modern media, can you envisage circumstances in which loss of life or severe injury might be prevented through equipment interference?
Chris Farrimond: Absolutely, yes.
Joanna Cherry, you have five seconds, and anyone who wants to answer has 10 seconds.
Q I will try. Unilateral assertions of extraterritoriality will not help us much, will they? What we need is bilateral or multinational agreements with other countries, such as we have through Europol.
Chris Farrimond: I would say that they will help, in that they demonstrate what the UK would like to achieve. We have really good partnership relationships with a number of countries around the world. If it so happens that they are looking at a similar sort of provision in their legislation, we could quite easily find common ground. It may be that that is not possible and we need greater detail, but there is no harm at all in saying, “Look, this is what we’re asking for. It’s quite reasonable, isn’t it? These are our checks and balances around it.” That is the start point, as far as I can see, for further negotiation.
Thank you. Well done colleagues—you were razor-like in your questioning.
Examination of Witnesses
Mark Astley gave evidence.
Q I see, so at the moment, your function is limited in this particular field to local authorities.
Mark Astley: Correct.
Q Your organisation has identified a range of crimes that local authorities use communications data to tackle. Do you think the Bill ought to identify the crimes more precisely to prevent data from being used in relation to, for example, rubbish collection or school places?
Mark Astley: I believe that the process is in place for identifying necessity and proportionality. The three bar process that we currently have in place will deal with that. To actually identify particular legislation could become more constraining and difficult to administer and, as more legislation comes along, more changes may be required to the Bill.
Q Do you agree that the issues of rubbish collection or potential abuse of school places are not really serious crimes?
Mark Astley: I do, and the fact that communications data is not used for those types of investigations in respect of that should enforce that.
Q But there is nothing on the face of the Bill to prevent it from being used for that kind of investigation, is there?
Mark Astley: No, but we have the three locks in place. They call it the double lock at present, but what the National Anti-Fraud Network provides is what we call a triple lock. We have the NAFN single points of contact that it has to go through. They are fully accredited and professional, and they are fully trained to ensure that we weed out all those types of inquiries. The next lock is the designated person, and following that you have the judicial approval process, too. There is a triple lock in place to prevent any of that from happening.
Q But there is nothing on the face of the Bill to prevent the individuals you have mentioned from ultimately reaching the view that it might be necessary or proportionate to access communications data to deal with issues around rubbish collection or school places. It has happened, has it not?
Mark Astley: Not for communications data. The process is in place—the triple lock—from a NAFN perspective. The NAFN SPOCs are totally independent and fully trained. They will ensure that any application is appropriate, necessary, proportionate and lawful for that to process.
Q You mentioned judicial authorisation. Can you elaborate on what you meant by that?
Mark Astley: Currently, our members have to go to a local magistrate to have any access request approved judicially.
Q It is possible to bypass the single point of contact in an emergency, is it not?
Mark Astley: No, not for a local authority.
Q Your organisation told the Joint Committee that five hours of an officer’s time seeking judicial approval is “slow and inefficient” and “a deterrent to councils”. Do you feel that the individual’s right to privacy might justify five hours of an official’s time?
Mark Astley: The issue around resources is more about how we can better deliver the services. The judicial approval process is there, and it is supportive. Looking at the figures for the past two years, 2% of those requests have been rejected by our own SPOCs, 0.3% have been rejected by the designated persons and only 0.2% have been rejected by judicial approval. Our belief is that the processes in place work effectively.
Q That was not really my question. My question was on whether you agree that the individual’s right to privacy justifies the time that is sometimes taken in inputting for a judicial approval.
Mark Astley: I understand the need for respect for privacy, but the necessity and proportionality aspect of every case will be considered, and if it is appropriate to do so, we would need to intrude on that privacy.
Q Obviously, your role is an additional safeguard. There are those who think that the Home Secretary and I are preoccupied with safeguards, checks and balances and the defence of privacy, but I think we have probably got this right. Can you tell me of the number—the frequency—of requests that you would consider to be an abuse of power in respect of applications for information? How often do you come across seedy requests that you would consider to be an abuse of the powers?
Mark Astley: In 2% of inquiries in the past two years, we have had applications rejected or cancelled through the input of our accredited SPOCs.
Q One final swift question on thematic warrants and the breadth of the powers proposed in the Bill. Do any of the witnesses have headline concerns that the Committee can take away to work on as we consider the Bill line by line?
Sir Stanley Burnton: First, the existing formulation in RIPA is very unsatisfactory and unclear, and it does not cover many cases in which it would be sensible to have a so-called thematic warrant. However, the wording of clause 15(2) is very wide. If you just have a warrant that gives a name to a group of persons, you have not identified—certainly not in the warrant—all those persons to whom it is going to apply. There could be substantial changes in the application of the warrant without any modification. At the moment, the code of conduct envisages a requirement that names will be given so far as practicable. Our view is that the warrant should name or otherwise identify all those persons to whom the warrant will apply, as known to the applicant at that date.
The other concern is that substantial modifications can be made to a warrant under the Bill with no judicial approval or even notification. That needs to be changed.
Lord Judge: I agree with Sir Stanley. I will not say anything more on the second point he made, but on the first, a part of the process that all of us involved in supervising surveillance attach a great deal of weight to is that we are looking at individuals. There has to be evidence that X requires this, that there is a situation in which it is necessary for this to happen, that it is proportionate in this particular individual’s case and that there is no collateral interference. For example—there are many different examples—why should a women who happens to be married to or living with a man who is suspected and so on have her life entirely opened up in this way? Not having specific identified individuals leaves a very delicate situation. I suspect that the commissioners would find it very difficult to just say, “Well, we’re satisfied. There’s this gang here and they’re all pretty dangerous.” They might not be, and we have to be very alert to that.
Q I have questions for Jo Cavan. In your organisation’s written evidence, you have picked up on earlier concerns about the draft Bill and updated them in the light of the finalised Bill. In the first point, you say that you have concerns about the “aggressive timeline” for the Bill. Can you explain what you mean by that?
Jo Cavan: It is a really complicated and significant piece of legislation. Although I broadly support the Bill, because it is a good thing to put a number of the powers used by the intelligence agencies on a clearer statutory footing and to try to improve transparency, I do think that the scrutiny process has been very hurried. That is of concern because there are some significant privacy implications to the clauses in the Bill. There is still a long way to go towards strengthening some of the safeguards. Also, a lot of the operational detail is in the codes of practice. It is really important that those are scrutinised properly, line by line.
Q When you express concerns about the aggressive timeline for the Bill, are you talking about the Bill before us as well as the draft Bill?
Jo Cavan: Yes.
Q So you consider the time that has been afforded for the scrutiny of the Bill before us to be aggressive.
Jo Cavan: It has been challenging to say the least.
Q Do you think it is adequate?
Jo Cavan: You could argue that because we are waiting for a number of key judgments from either the European Court of Human Rights or the European Court of Justice, it might seem a bit premature to be legislating in some of these areas, but then when do you draw the line?
Q At point 5 in your written evidence, you pose the question:
“Is it desirable to have the same body responsible for authorising investigatory powers and undertaking the post facto oversight of the exercise of those powers?”
You say:
“If so, the judicial authorisation and oversight elements of that body must be operationally distinct.”
You have already explored point 2 of your written evidence with us, but will you elaborate on point 5?
Jo Cavan: It is clear to us that there needs to be some operational distinction between the approval—the judges who are going to be approving some of these techniques—and the audit and oversight after the event, because if the judges approving the requests are then responsible for the post facto oversight, essentially they could be accused of marking their own homework. Again, if the commission is created, you will be able to distinguish those key elements.
It is really important for the commissioners to work very closely with the inspectors and technical engineers and so on who will carry out the post facto audits. They are obviously going to need to support each other, but it is really important that there is a distinction. I think I have spoken to a number of our international oversight counterparts, and some of those are quite surprised that we are going down a route where we are putting both elements into one body.
Q At point 6 of your written evidence you expressed concern that in the draft Bill there were
“a number of clauses which provide exceptions for national security or which exempt the intelligence agencies from key safeguards”.
What is your view of the finalised Bill in relation to that concern?
Jo Cavan: Essentially there has been progress on one of the national security exemptions, which is around the acquisition of communications data to determine journalistic sources. The Government have amended clause 68 to remove the national security intelligence agency exemption. That was because that was picked up by the Intelligence and Security Committee and the Joint Committee.
However, there are still two broad exceptions in the Bill: clauses 54 and 67. One of them is really important, because it is around the independence of designated persons. This area was strengthened as a result of the Digital Rights Ireland case, and that is an area where we still find significant compliance issues within public authorities. Communications data is approved by designated persons—it will become designated senior officers in the Bill—who are from the same public authority. In almost half of the police forces, intelligence agencies and other bodies that we inspected last year, we made recommendations around that area because we were not satisfied with the independence.
The clauses as drafted seem to drive a horse and cart through the independence requirements for designated persons by exempting very broadly national security. The same is the case in the single point of contact provision in clause 67: that appears to exempt in national security cases the SPOC being consulted, and we see the SPOC as a key safeguard in the process. So the fact that the Government have already said that the exemption relating to journalistic sources was broad, and removed it, suggests that the same needs to happen to clauses 54 and 67.
Sir Stanley Burnton: I would just like to add that it is far from obvious that the interests of national security, which is a ground for the grant of a warrant, is itself an exceptional circumstance. It is very difficult to see what the logic behind that formulation is.
Q One of the innovations of the Bill is the double lock. When you were Home Secretaries, most warrants would have been signed just by the Home Secretary. Will the knowledge of having judicial oversight and a second authorisation before the warrant comes in change the behaviour of the Home Secretary when approaching the decision?
Charles Clarke: I tend to doubt it. Speaking for myself and, I am sure, for John—actually, for all Home Secretaries I have ever discussed this with—we have all been exceptionally aware of the severity and seriousness of what we were looking at. I do not think that the idea that there was going to be a judicial review of what we were doing would have changed our behaviour significantly. There is quite a serious, in-principle issue about the role of the judge as opposed to the role of the Executive.
I saw you taking evidence from Lord Judge just now. I bumped into him as I was coming in. The question of the relationship between the judiciary and the Executive is a key point. I gave evidence on it to the House of Lords Constitution Committee in 2007 because I think it has all been changed by the Human Rights Act 1998. I think there has been insufficient consideration of the changing nature of the relations. In response to your particular point, Mr Kyle, I do not believe that there would have been a significant change in behaviour.
Lord Reid: I do not think there will be a change in behaviour from the point of view of the person who is ultimately accountable to Parliament for the decisions, which is the elected Member and appointed Minister. Probably even before RIPA, which I think Charles took through the House of Commons, there was an awareness that there were degrees of oversight and you were working within certain constraints and certainly with oversight.
I confess that where I would worry—you would perhaps say, “Well, he would, wouldn’t he? He was the Home Secretary.”—is in case the judicial oversight became a co-decision. I think that is a recipe, in some cases, for obstacles to the efficient operation of aspects that I mentioned earlier, for instance in a hostage situation. I know that allowances are being made for that.
I guess that the additional oversight—judicial oversight—that is in the Bill is a result of a number of factors. One is the concern—I do not know whether it is public concern; I do not think it is, but it is certainly published concern—over the Snowden revelations, the general distrust of politicians and the fact that there was a Liberal-Conservative coalition. All of this is compromise, is it not?
I have no in-principle objections to it, provided that the first decision is made by the person accountable for it, through Parliament, to the public and the role of judicial oversight is the judicial element of it.
Q On 4 November last year, when the Home Secretary introduced the draft Investigatory Powers Bill to the House of Commons, she informed us:
“the acquisition of bulk communications data, both relating to the UK and overseas…is not a new power. It will replace the power under Section 94 of the Telecommunications Act 1984”.—[Official Report, 4 November 2015; Vol. 601, c. 971.]
May I start with you, Mr Clarke? When you were Home Secretary, how many times do you recall authorising the use of
“the power under Section 94 of the Telecommunications Act 1984”
to collect the telephone records of everybody in the UK into a single national database?
Charles Clarke: I do not recall the answer to your question at all, I am afraid; I have not prepared for this meeting, or gone back to my files, so I cannot answer the question. I think what the Home Secretary will have been trying to communicate is that the purpose of this legislation is to update legislation in the light of massive technological change, even since 1999, when I took the RIPA Bill through Parliament. As you will recall, that was to make what was being done compliant with the Human Rights Act, which required us to have a basis on which all of this was understood. Previously, this had all been done without any basis, and I was very proud to take that legislation through.
I said at the time—if you go back to the records of those hearings—that it would be necessary to update that Bill as technology moved forward, and I think that is what the Home Secretary meant in what she said. However, I apologise that I cannot give you the precise answer that you are looking for.
Q Perhaps you can help me with this question. When Parliament passed the Telecommunications Act 1984, there was no such thing as itemised phone bills. Do you remember back that far?
Charles Clarke: I was hardly born then. [Laughter.]
Lord Reid: That is before even we were in Parliament.
Charles Clarke: Sorry. Joking aside, I understand your point completely—
Q On the hypothesis that that is correct—that there was no such thing as itemised telephone bills in 1984—then the use of itemised telephone bills to compile a national phone call database could not have been foreseen when that legislation was passed by Parliament, could it?
Lord Reid: I think these are interesting questions, but they miss the point of historical change since 1984; that is the important thing. To put it at its simplest, the principles behind interception or access have always been the same, whether it was in the days when you sent a letter to somebody, or the days when you made a telephone call to somebody. The principles, put very crudely, were that if you wanted to know whose name was on the envelope, then you had a level of authority that was necessary, and oversight. If you wanted to read the letter, you had a higher level of authority that was required, normally from a Minister. Similarly, with telephone calls, if you wanted to know who was phoning whom, then you needed a level of authority that was not necessarily the Home Secretary, because after 1984 there was such information available. If, as a result of that, you wished to go into the contents of the telephone conversation, like the contents of the letter, you required an even higher level of authority by warrant.
What has changed is that it has gone from people sending pigeons, writing letters and telephoning each other, to global communication, as you will be well aware. Instead of a phone call from Cambridge to London that can be intercepted, it goes around the world in packages. Indeed, as you probably know, that is why it was produced: the internet has its origins in the necessity of protecting the command and control structure for the launch of American nuclear weapons by the American President. It makes it much more difficult to intercept that.
To put it in grossly simple terms again, somebody used to say, “We all like rabbit pie but first you have to catch the rabbit.” We all want to get the needle in the haystack, but first you have to find the haystack. The problem we are all faced with now is that the haystack is global. It is global communication, which is why we get this tension between so-called bulk collection and targeted examination.
That is a long answer to your question, but I hope it goes to some of the central questions that your Committee will be asking about that relationship. Normally, a Secretary of State would authorise a targeted interception, but the explanation of why you are being asked to authorise that may relate to something much wider, as I hinted at earlier, because you have discovered the need to target this interception because of a bigger node and a bigger network.
Q I was not asking about targeted interception, I was asking about the current Home Secretary’s specific avowal of that fact that for many years section 94 of the Telecommunications Act 1984 has been used to collect the phone records of everyone in Britain into a single national database. I am simply interested to know whether either of you gentlemen, as former Home Secretaries, could tell us whether you had authorised that.
Charles Clarke: No, I cannot, for the reasons I have stated.
Lord Reid: You would have to ask the Secretary of State that.
Charles Clarke: I do think that the related point is future-proofing. In an area where technological change is taking place so rapidly—where you have a state of affairs on the balance between security on the one hand and liberty on the other, and where we need to keep the capacity to surveille threats to society—how do we future-proof that? That was the issue I faced with RIPA in 1999-2000, and I think it is the issue that this Committee faces in thinking about this particular piece of legislation too.