Investigatory Powers Bill (Fifteenth sitting) Debate
Full Debate: Read Full DebateJoanna Cherry
Main Page: Joanna Cherry (Scottish National Party - Edinburgh South West)Department Debates - View all Joanna Cherry's debates with the Attorney General
(8 years, 6 months ago)
Public Bill CommitteesThe amendments go in pairs: amendments 853 and 854 are to clause 216, amendments 845 and 855 to clause 217 and amendments 852 and 859 to clause 220. They all have the same purpose and intent: to subject the powers in the clauses to the double-lock mechanism—in other words, to involve the judicial commissioners in those powers.
Clause 216 is concerned with national security notices. Subsections (1) and (2) make the power to issue such notices subject only to the test that they be
“necessary in the interests of national security”
and “proportionate”. There is no specific reference to any operational purposes; it is a very broad power. Once a notice is issued, subsection (3) takes effect:
“A national security notice may…require the operator to whom it is given—
(a) to carry out any conduct, including the provision of services or facilities, for the purpose of—
(i) facilitating anything done by an intelligence service under any enactment other than this Act, or
(ii) dealing with an emergency (within the meaning of…the Civil Contingencies Act 2004);
(b) to provide services or facilities for the purpose of assisting an intelligence service to carry out its functions more securely or more effectively.”
The Secretary of State issues a notice; once that notice is issued, the requirement on the operator is very broad. To be fair, subsection (4) makes it clear that a national security notice cannot be used to sideline or cut across a warrant or authorisation that is required under the Act, but the clause does make a very wide-ranging power available to the Secretary of State and it seems subject to pretty well no check, balance or safeguard.
The amendments would subject the procedure to the double-lock mechanism, to ensure that such a notice would go before a judicial commissioner, who would consider whether it was in the interests of national security and proportionate under subsections (1) and (2). The Joint Committee raised concerns about this issue when it looked at the draft Bill, and in particular how the lack of a definition of national security means that the power granted by the clause is very wide indeed.
Does the hon. and learned Gentleman agree that, in the absence of a definition of national security, it is difficult to foresee the kinds of activity or intrusion that obligations under the clause could entail? Is it not therefore providing a blank cheque power to the Government?
There are clear reasons for not going down that route. We are talking about the preparatory stage as opposed to the stage of interference with privacy. If the Government’s position was that there was a loophole—a gateway—to allow such interference, the hon. and learned Gentleman’s argument would have real strength, but that is far from the case. This is all about the preparatory stages—the necessary stages that need to be taken by communications service providers before we get to the application for what we all accept is an intrusion.
I am afraid I cannot share with hon. Members their analysis that we need a “now and forever” definition of national security in law. There is a good reason why national security is not defined in statute. Any attempt to define it in the Bill runs a real risk of restricting the ability of this country to respond to constantly evolving and unpredictable threats. It is vital that legislation does not, however unintentionally, constrain the ability of our security and intelligence agencies to protect this country. The examples are all around us: who would have imagined a few years ago cyber-attacks of the nature and on the scale that now threaten us? My concern is that if we try to rigidly define what we mean by national security, we run the risk of defeating the means by which we can keep this country safe.
I hear what the Solicitor General says about the measure only facilitating preparatory steps, but under the terms of clause 218(8) we will never know whether the notices exist or their contents, so we will not be able to know whether we are dealing with preparatory steps or whether they could go beyond that.
I have gone as far as I can to explain the types of scenarios that the national security notices would be used for. In essence, they deal with the nuts and bolts rather than the intrusion. If somehow there was a gateway into intrusion, the hon. and learned Lady would be absolutely right, but I assure her that there is not, so the worries that she and other people and organisations have about a blank cheque, while understandable, are unfounded. I can assure her in Committee and I am happy to continue to make the assurance that the function of this type of notice is not intrusion.
Indeed, we have oversight because national security notices will be overseen by the Investigatory Powers Commissioner. The commissioner will have a duty to report at least once a year on what he or she has found and to make recommendations on where improvements can be made. The commissioner will also have the power to report on an ad hoc basis on any issue that he or she considers appropriate.
I respectfully support everything that the hon. and learned Gentleman has said.
In arguing in opposition to the amendments, I first want to address the last point that the hon. and learned Member for Holborn and St Pancras made. I can come back to his point about the tests, but in a nutshell, they are inherent to the Bill. The tests of necessity and proportionality are part and parcel of the decision-making process that the authority will be enjoined to carry out.
The Intelligence and Security Committee described the clause as a
“seemingly open-ended and unconstrained power”.
Does the Solicitor General not agree that it is therefore essential that the tests of necessity and proportionality are spelled out in the clause, as they are in other parts of the Bill?
I hear the hon. and learned Lady, but I am not convinced that the basis of her argument is right given the breadth of the power. As I said in the context of national security notices, the technical capability notice is only a preliminary step. It will allow the subsequent implementation of a warrant, which will then be subject to the tests of necessity and proportionality. I would not want the Committee to operate under a misapprehension. It is my strong, and I hope clear, assertion that we are dealing with an earlier stage of the process, so we should not be driven to the conclusions that I know critics of the Bill want us to reach.
May I deal with encryption, which, as the hon. and learned Gentleman rightly characterised, is at the heart of the matter? I put it on the record that the Government recognise the vital importance of encryption. It has become part of our daily lives. It keeps our personal data and intellectual property secure and ensures safe online commerce, and the Government work closely with industry and business to improve their cyber-security. I can reassure the Committee that in the preparation of the code of practice, there has been close consultation with the interested parties in the industry to ensure that it comprehensively reflects the realities and needs of those who operate in this sphere. Not only does the code of practice replicate the provisions of RIPA, but it goes further, with a degree of specificity that is not possible in primary legislation. It will be a flexible, living instrument that will form a clear prospectus within which everyone can work. I make no apology for the measure being in a code practice, which is where it should be, rather than in primary legislation. With the best will in the world, we all know that it is difficult to amend primary legislation and ensure that it keeps pace with the somewhat breathtaking changes that occur in this particular field of operation.
I also want to talk about the role of GCHQ, which plays a vital information assurance role and provides advice and guidance to allow the Government, industry and the general public to protect their IT systems and use the internet safely. As the director of GCHQ, Robert Hannigan, made clear in his speech on 8 March:
“I am accountable to our Prime Minister just as much, if not more, for the state of cyber security in the UK as I am for intelligence collection.”
In the past two years the security and intelligence agencies have disclosed vulnerabilities in every major mobile and desktop platform, including some of the big names that underpin business here in the UK. In September 2015, Apple publicly credited CESG, the information assurance arm of GCHQ, with detecting a vulnerability in its operating system for iPhones and iPads, and we all know where that vulnerability could have led. The vulnerability was fixed as a result of that intervention, so the suggestion, which I know has not been advanced in this Committee—and I hope will not be—that the Government are opposed to encryption, or would legislate to undermine it, is wholly wrong.
We have to ensure that we have the necessary capabilities to keep our systems safe. Encryption is now, in effect, the default setting for most of our IT products and online services, and although it can be a power for good in keeping the law-abiding safe and secure, sadly it is used easily and all too cheaply by terrorists, paedophiles and other criminals. Therefore it can only be right that we retain the ability to require telecommunications operators to remove encryption in strictly limited circumstances, with strong controls and safeguards, so that we can address the increasing technical sophistication of those who would seek to do us harm. If we do not do that, we must simply accept that there are areas online that are beyond the reach of the law, where criminals can go about their business unimpeded and without the risk of detection. I do not accept that, and I know the general public do not accept it either. That is our starting principle.
Clause 218(8) and (9) provides that the recipient of a notice must comply with it but must not disclose either its existence or its contents. Does that mean that if an Apple against the FBI scenario were to occur in the UK, Apple would not be able to disclose even the fact that it had been served with a notice, let alone challenge it in court? That is how I read it.
Not without the permission of the Secretary of State. I will return to the mechanism in question, but I am grateful to the hon. and learned Lady for raising that point. I am sure I will be able to provide her with clarity as I develop my remarks.
The starting principle is shared by David Anderson, who in his important review said:
“My first principle is that no-go areas for law enforcement should be minimised as far as possible, whether in the physical or the digital world.”
That view was shared by the Joint Committee on the draft Bill and is shared by the Select Committee on Science and Technology, both of which recognise that, in tightly prescribed circumstances, it should remain possible for our law enforcement and security and intelligence agencies to be able to access decrypted communications or data. That is what clauses 217 and 218 are all about: strong safeguards to ensure that obligations to remove encryption can be imposed only in limited circumstances, subject to rigorous controls.
The hon. Gentleman is right to make that important point and to steer us back on to the straight and narrow. I am not criticising the Committee for trying to bring the Bill to life with some examples. We are indeed talking about communications service providers, not third parties, which is important in the context of the Bill.
Are we not concerned here with the “relevant operator”, which is defined in clause 217(2) as
“a postal operator…a telecommunications operator, or…a person who is proposing to become a postal operator or a telecommunications operator.”?
That definition is the basis of the concern for companies such as Apple.
The hon. and learned Lady is absolutely right to bring us back to clause 217(2). The problem that hon. Members are anticipating is that the provisions will somehow catch parties that no one would regard as appropriate. I think I have given clear assurances on that third party problem.
In endeavouring to answer my right hon. Friend’s point, may I deal first with the question about telecommunications operators? Some assistance may be gained from clause 223(10), where a telecommunications operator is defined in a way that includes Apple. The famous Apple case—the California case—was about the use of a password, which is slightly different from the question of encryption, but it does demonstrate the important tussle between the need to balance public safety and privacy. In that case, the FBI, with an appropriate search warrant, was asking for the chance to try to guess the terrorist’s passcode without the phone essentially self-destructing—after so many tries, everything gets wiped.
We are talking about an attempt to obtain communications data within the robust legal framework that we have set out, with the double lock and all the other mechanisms that my right hon. Friend and the Committee are familiar with. I am grateful to him for raising that case, but there are important differences that it would be wrong to ignore. In a nutshell, without the powers contained in the Bill, a whole swathe of criminal communication would be removed from the reach of the authorities. That is not in the interests of the constituents he has served with distinction for well over a quarter of a century—he will forgive me for saying that—or any other of the constituents we represent.
I was going to come back to the obligations imposed under a technical capability notice, with particular regard to the removal of encryption. The obligations imposed under such a notice will require the relevant operator to maintain the capability to remove encryption when it is later served with a warrant notice or authorisation. That is different from merely requiring it to remove encryption. In other words, it must maintain the capability, but there then needs to be the next stage, which is the warrant application and the notice of authorisation, where there is of course the double lock. The company on which the warrant is served will not be required to take any steps, such as to remove encryption, that are not reasonably practicable.
In a nutshell, this measure is about not an interference with privacy but sets out the preparatory stage before a warrant can be applied for. The safeguards provide the strict controls that I assure the Committee are needed in this sphere of activity. We are maintaining and clarifying the existing legal position.
I am anxious to clarify what the Solicitor General said about the justiciability of the issuing of such a technical notice. As far as I can see, the Secretary of State is the gatekeeper to justiciability, because the contents of a notice can be revealed only with his or her permission. Where does it say that that can be justiciable, because I cannot find it?
I think it is clause 220, but I will get some further assistance on that point for the hon. and learned Lady before I resume my seat. I am grateful for that intervention.
The Bill does not drive a coach and horses through encryption. It does not ban it or do anything to limit its use. A national security notice—we debated this matter on clause 216—cannot require the removal of encryption, which further supports my argument that there is no blank cheque in the context of these notices. On the issue of civility, rather than keep this Committee waiting, I will write to the hon. and learned Lady to clarify the point that she rightly raised.
I am glad that my hon. and learned Friend has reminded us of that. I referred earlier to that consultation process. The next stage is when the Secretary of State decides to proceed. I will consider that issue even more carefully to ensure that the Committee is furnished with as much information as possible before Report.
Let me deal with the amendments tabled in the name of the hon. and learned Member for Holborn and St Pancras and others. On amendment 846, the Bill already makes it absolutely clear that a communications service provider will not be obligated to remove encryption where it is not reasonably practicable for them to do so. I do not think the amendment adds anything, and in many cases it would have the effect of inhibiting law enforcement agencies and the security and intelligence services from working constructively with tele- communications operators as the technology develops. I am sure that that is not the intention of the amendment. Depending on the individual company and the individual circumstances, it may be entirely sensible for the Government to work with a company to determine whether it would be reasonably practicable for it to take steps to develop and maintain the technical capability to remove the encryption it has applied to communications or data.
My worry about the amendment is that we would end up with communications services that can be used by criminals and others to communicate with each other unimpeded. We know that internet gambling sites, which have chat room provisions, are used by criminals for entirely unrelated criminal activities. I am sure that that is not the intention behind the amendment. Therefore, with respect, I urge hon. Members to reconsider it.
I will not deal in detail with amendment 847, because I do not think the hon. and learned Gentleman seeks to press it. Although I oppose it, I will move on without argument to amendments 848 and 858. We have discussed similar amendments on extraterritoriality in relation to other powers in the Bill. I pray in aid the arguments I used earlier. The provisions in the Bill allow a notice to be given in the most appropriate manner, taking into account the preferences of each company, which is an example of the adaptability of the legislation to the real world.
Amendment 848 is unnecessary because the clause is about not the acquisition but the development and maintenance of a technical capability. Conflict of law issues are much more likely to arise in respect of giving effect to a warrant, and we already have protection in the Bill for such cases. Admirable though the amendment may seem, it is therefore unnecessary.
Amendment 849 is unnecessary because it duplicates provisions in clauses 218, 216 and 217. I have discussed clause 218(3), which stipulates that the Secretary of State must consider a wide range of matters before giving a notice. That detailed assessment already speaks to the issues raised by the amendment. The Secretary of State has to be satisfied that the conduct is proportionate, justified, necessary and practicable.
I am sorry to interrupt the Solicitor General’s flow, but I sense he is coming to the end of his argument. Will he clarify something? Am I right in understanding that there is nothing in the clause to prevent someone who is intent on evading surveillance from using open-source encryption software that is personally generated by the user? That would mean they could encrypt files and email communications themselves, independent of any provider, and therefore remain untouched by this legislation.
That question is about the definition of the provider. I am sure we will be able to provide some clarity on that before I draw my remarks to a conclusion. I am grateful to the hon. and learned Lady for raising that point.
Amendment 850 relates to consideration by the Secretary of State of the effect of a notice on the privacy and human rights of people both here and outside the kingdom. The amendment is unnecessary because of the point I made before, which I will reiterate: the clause is not about notices authorising an interference with privacy. A warrant provided for elsewhere in the Bill is required to do that, and we have already considered the potency of the double lock and the test to be applied. A point that is relevant to all the amendments in this group is the statutory function of the Investigatory Powers Commissioner to oversee the use of notices. I raised that in the context of national security notices, and I pray it in aid here again.
Amendment 857 seeks to narrow the category of operators to whom a technical capability notice can be given. I am worried that that would limit the effects of law enforcement. We know about the diversification of criminality and terrorism in order to find new ways to avoid protection. I am concerned that narrowing the legislation would allow loopholes to get larger. It is therefore important that the obligations relating to the technical capabilities for a range of operators can be imposed by the Government in order to ensure we keep ahead of the curve.
The hon. and learned Lady made the powerful point that the clause does not relate to personally applied encryption. However, measures in part 3 of RIPA 2000 provide for where law enforcement agencies can require an individual to remove encryption that he or she has applied themselves. We know that the Bill generally does not cover all the agencies’ powers. This is perhaps a welcome opportunity to remind ourselves of the existing provisions in part 3, so I am grateful to her.
Of course we accept that it may well be appropriate to exclude certain categories of operator from obligations under the clause—I am thinking, for example, of small businesses; we are always mindful of the burden of regulation on small businesses—but it is our intention to use secondary legislation to achieve that. It would not be appropriate in primary legislation to impose blanket exemptions on services with a communications element that are not primarily communications services. To do so would send a rather alarming and clear message to terrorists and criminals that communications over certain systems will not be monitored. That sort of carve-out recalls the point that I made about the use by criminals of seemingly unrelated or innocuous communications channels in other internet facilities or apps, in order to hide their illicit enterprises.
I know that I have taken up an inordinate amount of the Committee’s time. I am obliged to the Committee and to you, Ms Dorries, for your indulgence. I hope that I have set out the reasons why I urge hon. Members to withdraw the amendment, and I pray in aid my arguments as advancing the case that the clause should stand part of the Bill. I urge the hon. and learned Gentleman to withdraw the amendment.
The Scottish National party is not happy with this clause without amendment. I was going to press it to a vote, but having heard what the Solicitor General said about the clause, and pending his writing to me, I am willing not to press it. I just lay down a marker in that respect.
Question put and agreed to.
Clause 217 accordingly ordered to stand part of the Bill.
Clause 218
Further provision about notices under section 216 or 217
Question proposed, That the clause stand part of the Bill.
The SNP takes the same position as it did on the previous clause.
Question put and agreed to.
Clause 218 accordingly ordered to stand part of the Bill.
Clause 219
Variation and revocation of notices
I beg to move amendment 734, in clause 219, page 170, line 8, at end insert
“(and in the application of section 218(3) and (4) in relation to varying a relevant notice, references to the notice are to be read as references to the notice as varied).”
This is a technical amendment. Ms Dorries, I should have welcomed you to the Chair earlier, but I do so now. The amendment is uncontentious and makes a drafting correction to clause 219. On that basis, it should not cause the Committee any undue concern, and I move it in that spirit.
Amendment 734 agreed to.
Clause 219, as amended, ordered to stand part of the Bill.
Clause 220
Review by the Secretary of State
With this it will be convenient to consider new clause 23—Review of the Operation of this Act—
“(1) The Secretary of State shall appoint an Independent Reviewer to prepare the first report on the operation of this Act within a period of six months beginning with the end of the initial period.
(2) In subsection (1) “the initial period” is the period of four years and six months beginning with the day on which this Act is passed.
(3) Subsequent reports will be prepared every five years after the first report in subsection (1).
(4) Any report prepared by the Independent Reviewer must be laid before Parliament by the Secretary of State as soon as the Secretary of State is satisfied it will not prejudice any criminal proceedings.
(5) The Secretary of State may, out of money provided by Parliament, pay a person appointed under subsection (1), both his expenses and also such allowances as the Secretary of State determines.”
I inform the Committee that I consider clause 222 and new clause 23 to be alternatives. If the Committee decides that clause 222 should stand part of the Bill, I will not put the Question on new clause 23. If the Committee decides that clause 222 should not stand part, when the Committee comes to decisions on new clauses, I will put the necessary Questions on new clause 23 without debate.
I take it, Ms Dorries, that I am entitled to make a submission as to why the clause should not stand part of the Bill, and should instead be replaced with new clause 23.
In short, it is welcome that following the recommendation of the Joint Committee on the draft Bill, there is now some sort of sunset provision in the Bill. Those who sat on the Joint Committee or read its report will recall that various people who gave evidence made a strong case for a sunset provision in the legislation. The Information Commissioner summarised that case by saying:
“The draft Bill is far reaching and has the power to affect the lives of all citizens to differing degrees. For these reasons, the bill should include a sunset clause or other provisions requiring effective post legislative scrutiny. This would ensure that measures of this magnitude remain necessary, are targeted on the right areas and are effective in practice. To fail to make this provision risks undermining public trust and confidence. It will also enable the legislation to be considered in the light of the latest jurisprudence from the”
Court of Justice of the European Union and the European Court of Human Rights. Various variations on the Information Commissioner’s proposal were put to the Joint Committee by other witnesses, including medConfidential, Dr Paul Bernal, the right hon. Member for Haltemprice and Howden (Mr Davis), Privacy International and the Interception of Communications Commissioner’s Office.
The Home Secretary expressed reservations about having a sunset provision, but it is good to see that there is now some such provision in the Bill. What is missing from it, however, is an independent element.
I am not unsympathetic to that suggestion, but let me qualify that slightly. There is an argument to say that we would want another reviewer involved in the process, because what we want is as much empiricism as possible. We have neither the time nor the patience for a long debate about the philosophical character of empiricism, and I am not an empiricist, philosophically, but in terms of legislation, it matters. There is an argument for introducing still more independence into the process.
The hon. and learned Gentleman is right to say that, of course, the Secretary of State would want to take into account the views of all those in positions of authority who have taken a view on the Bill and its implementation and effects in her or his report. I certainly would not want to exclude from that consideration any of the authoritative reports published on the Bill. I think that probably meets the hon. and learned Gentleman halfway, and perhaps a little more than halfway.
Any parliamentary review would take evidence from a range of witnesses. It is, again, almost inconceivable that the independent reviewer would not be a key witness, as our current independent reviewer was to the Joint Committee and other Committees of the House. It would—again, as the Joint Committee did—be likely to appoint technical advisers, who would inform the process and work in concert with the ISC. While the Government support a post-legislative review of the Bill, that review should be conducted by Parliament—by legislators drawing on external expertise and evidence, as the Joint Committee recommended. I therefore invite hon. Members not to press the new clause to a vote.
I will not press new clause 23 to a vote.
Question put and agreed to.
Clause 222 accordingly ordered to stand part of the Bill.
Ordered, That further consideration be now adjourned. —(Simon Kirby.)