Keir Starmer

- Hansard -

Copy Link

- - Excerpts

The amendments go in pairs: amendments 853 and 854 are to clause 216, amendments 845 and 855 to clause 217 and amendments 852 and 859 to clause 220. They all have the same purpose and intent: to subject the powers in the clauses to the double-lock mechanism—in other words, to involve the judicial commissioners in those powers.

Clause 216 is concerned with national security notices. Subsections (1) and (2) make the power to issue such notices subject only to the test that they be

“necessary in the interests of national security”

and “proportionate”. There is no specific reference to any operational purposes; it is a very broad power. Once a notice is issued, subsection (3) takes effect:

“A national security notice may…require the operator to whom it is given—

(a) to carry out any conduct, including the provision of services or facilities, for the purpose of—

(i) facilitating anything done by an intelligence service under any enactment other than this Act, or

(ii) dealing with an emergency (within the meaning of…the Civil Contingencies Act 2004);

(b) to provide services or facilities for the purpose of assisting an intelligence service to carry out its functions more securely or more effectively.”

The Secretary of State issues a notice; once that notice is issued, the requirement on the operator is very broad. To be fair, subsection (4) makes it clear that a national security notice cannot be used to sideline or cut across a warrant or authorisation that is required under the Act, but the clause does make a very wide-ranging power available to the Secretary of State and it seems subject to pretty well no check, balance or safeguard.

The amendments would subject the procedure to the double-lock mechanism, to ensure that such a notice would go before a judicial commissioner, who would consider whether it was in the interests of national security and proportionate under subsections (1) and (2). The Joint Committee raised concerns about this issue when it looked at the draft Bill, and in particular how the lack of a definition of national security means that the power granted by the clause is very wide indeed.

The Solicitor General

- Hansard -

Copy Link

- - Excerpts

There are clear reasons for not going down that route. We are talking about the preparatory stage as opposed to the stage of interference with privacy. If the Government’s position was that there was a loophole—a gateway—to allow such interference, the hon. and learned Gentleman’s argument would have real strength, but that is far from the case. This is all about the preparatory stages—the necessary stages that need to be taken by communications service providers before we get to the application for what we all accept is an intrusion.

I am afraid I cannot share with hon. Members their analysis that we need a “now and forever” definition of national security in law. There is a good reason why national security is not defined in statute. Any attempt to define it in the Bill runs a real risk of restricting the ability of this country to respond to constantly evolving and unpredictable threats. It is vital that legislation does not, however unintentionally, constrain the ability of our security and intelligence agencies to protect this country. The examples are all around us: who would have imagined a few years ago cyber-attacks of the nature and on the scale that now threaten us? My concern is that if we try to rigidly define what we mean by national security, we run the risk of defeating the means by which we can keep this country safe.

The Solicitor General

- Hansard -

Copy Link

- - Excerpts

I have gone as far as I can to explain the types of scenarios that the national security notices would be used for. In essence, they deal with the nuts and bolts rather than the intrusion. If somehow there was a gateway into intrusion, the hon. and learned Lady would be absolutely right, but I assure her that there is not, so the worries that she and other people and organisations have about a blank cheque, while understandable, are unfounded. I can assure her in Committee and I am happy to continue to make the assurance that the function of this type of notice is not intrusion.

Indeed, we have oversight because national security notices will be overseen by the Investigatory Powers Commissioner. The commissioner will have a duty to report at least once a year on what he or she has found and to make recommendations on where improvements can be made. The commissioner will also have the power to report on an ad hoc basis on any issue that he or she considers appropriate.

The Solicitor General

- Hansard -

Copy Link

- - Excerpts

In arguing in opposition to the amendments, I first want to address the last point that the hon. and learned Member for Holborn and St Pancras made. I can come back to his point about the tests, but in a nutshell, they are inherent to the Bill. The tests of necessity and proportionality are part and parcel of the decision-making process that the authority will be enjoined to carry out.

The Solicitor General

- Hansard -

Copy Link

- - Excerpts

I hear the hon. and learned Lady, but I am not convinced that the basis of her argument is right given the breadth of the power. As I said in the context of national security notices, the technical capability notice is only a preliminary step. It will allow the subsequent implementation of a warrant, which will then be subject to the tests of necessity and proportionality. I would not want the Committee to operate under a misapprehension. It is my strong, and I hope clear, assertion that we are dealing with an earlier stage of the process, so we should not be driven to the conclusions that I know critics of the Bill want us to reach.

May I deal with encryption, which, as the hon. and learned Gentleman rightly characterised, is at the heart of the matter? I put it on the record that the Government recognise the vital importance of encryption. It has become part of our daily lives. It keeps our personal data and intellectual property secure and ensures safe online commerce, and the Government work closely with industry and business to improve their cyber-security. I can reassure the Committee that in the preparation of the code of practice, there has been close consultation with the interested parties in the industry to ensure that it comprehensively reflects the realities and needs of those who operate in this sphere. Not only does the code of practice replicate the provisions of RIPA, but it goes further, with a degree of specificity that is not possible in primary legislation. It will be a flexible, living instrument that will form a clear prospectus within which everyone can work. I make no apology for the measure being in a code practice, which is where it should be, rather than in primary legislation. With the best will in the world, we all know that it is difficult to amend primary legislation and ensure that it keeps pace with the somewhat breathtaking changes that occur in this particular field of operation.

I also want to talk about the role of GCHQ, which plays a vital information assurance role and provides advice and guidance to allow the Government, industry and the general public to protect their IT systems and use the internet safely. As the director of GCHQ, Robert Hannigan, made clear in his speech on 8 March:

“I am accountable to our Prime Minister just as much, if not more, for the state of cyber security in the UK as I am for intelligence collection.”

In the past two years the security and intelligence agencies have disclosed vulnerabilities in every major mobile and desktop platform, including some of the big names that underpin business here in the UK. In September 2015, Apple publicly credited CESG, the information assurance arm of GCHQ, with detecting a vulnerability in its operating system for iPhones and iPads, and we all know where that vulnerability could have led. The vulnerability was fixed as a result of that intervention, so the suggestion, which I know has not been advanced in this Committee—and I hope will not be—that the Government are opposed to encryption, or would legislate to undermine it, is wholly wrong.

We have to ensure that we have the necessary capabilities to keep our systems safe. Encryption is now, in effect, the default setting for most of our IT products and online services, and although it can be a power for good in keeping the law-abiding safe and secure, sadly it is used easily and all too cheaply by terrorists, paedophiles and other criminals. Therefore it can only be right that we retain the ability to require telecommunications operators to remove encryption in strictly limited circumstances, with strong controls and safeguards, so that we can address the increasing technical sophistication of those who would seek to do us harm. If we do not do that, we must simply accept that there are areas online that are beyond the reach of the law, where criminals can go about their business unimpeded and without the risk of detection. I do not accept that, and I know the general public do not accept it either. That is our starting principle.

The Solicitor General

- Hansard -

Copy Link

- - Excerpts

Not without the permission of the Secretary of State. I will return to the mechanism in question, but I am grateful to the hon. and learned Lady for raising that point. I am sure I will be able to provide her with clarity as I develop my remarks.

The starting principle is shared by David Anderson, who in his important review said:

“My first principle is that no-go areas for law enforcement should be minimised as far as possible, whether in the physical or the digital world.”

That view was shared by the Joint Committee on the draft Bill and is shared by the Select Committee on Science and Technology, both of which recognise that, in tightly prescribed circumstances, it should remain possible for our law enforcement and security and intelligence agencies to be able to access decrypted communications or data. That is what clauses 217 and 218 are all about: strong safeguards to ensure that obligations to remove encryption can be imposed only in limited circumstances, subject to rigorous controls.

The Solicitor General

- Hansard -

Copy Link

- - Excerpts

The hon. Gentleman is right to make that important point and to steer us back on to the straight and narrow. I am not criticising the Committee for trying to bring the Bill to life with some examples. We are indeed talking about communications service providers, not third parties, which is important in the context of the Bill.

The Solicitor General

- Hansard -

Copy Link

- - Excerpts

The hon. and learned Lady is absolutely right to bring us back to clause 217(2). The problem that hon. Members are anticipating is that the provisions will somehow catch parties that no one would regard as appropriate. I think I have given clear assurances on that third party problem.

The Solicitor General

- Hansard -

Copy Link

- - Excerpts

In endeavouring to answer my right hon. Friend’s point, may I deal first with the question about telecommunications operators? Some assistance may be gained from clause 223(10), where a telecommunications operator is defined in a way that includes Apple. The famous Apple case—the California case—was about the use of a password, which is slightly different from the question of encryption, but it does demonstrate the important tussle between the need to balance public safety and privacy. In that case, the FBI, with an appropriate search warrant, was asking for the chance to try to guess the terrorist’s passcode without the phone essentially self-destructing—after so many tries, everything gets wiped.

We are talking about an attempt to obtain communications data within the robust legal framework that we have set out, with the double lock and all the other mechanisms that my right hon. Friend and the Committee are familiar with. I am grateful to him for raising that case, but there are important differences that it would be wrong to ignore. In a nutshell, without the powers contained in the Bill, a whole swathe of criminal communication would be removed from the reach of the authorities. That is not in the interests of the constituents he has served with distinction for well over a quarter of a century—he will forgive me for saying that—or any other of the constituents we represent.

I was going to come back to the obligations imposed under a technical capability notice, with particular regard to the removal of encryption. The obligations imposed under such a notice will require the relevant operator to maintain the capability to remove encryption when it is later served with a warrant notice or authorisation. That is different from merely requiring it to remove encryption. In other words, it must maintain the capability, but there then needs to be the next stage, which is the warrant application and the notice of authorisation, where there is of course the double lock. The company on which the warrant is served will not be required to take any steps, such as to remove encryption, that are not reasonably practicable.

In a nutshell, this measure is about not an interference with privacy but sets out the preparatory stage before a warrant can be applied for. The safeguards provide the strict controls that I assure the Committee are needed in this sphere of activity. We are maintaining and clarifying the existing legal position.

The Solicitor General

- Hansard -

Copy Link

- - Excerpts

I think it is clause 220, but I will get some further assistance on that point for the hon. and learned Lady before I resume my seat. I am grateful for that intervention.

The Bill does not drive a coach and horses through encryption. It does not ban it or do anything to limit its use. A national security notice—we debated this matter on clause 216—cannot require the removal of encryption, which further supports my argument that there is no blank cheque in the context of these notices. On the issue of civility, rather than keep this Committee waiting, I will write to the hon. and learned Lady to clarify the point that she rightly raised.

The Solicitor General

- Hansard -

Copy Link

- - Excerpts

I am glad that my hon. and learned Friend has reminded us of that. I referred earlier to that consultation process. The next stage is when the Secretary of State decides to proceed. I will consider that issue even more carefully to ensure that the Committee is furnished with as much information as possible before Report.

Let me deal with the amendments tabled in the name of the hon. and learned Member for Holborn and St Pancras and others. On amendment 846, the Bill already makes it absolutely clear that a communications service provider will not be obligated to remove encryption where it is not reasonably practicable for them to do so. I do not think the amendment adds anything, and in many cases it would have the effect of inhibiting law enforcement agencies and the security and intelligence services from working constructively with tele- communications operators as the technology develops. I am sure that that is not the intention of the amendment. Depending on the individual company and the individual circumstances, it may be entirely sensible for the Government to work with a company to determine whether it would be reasonably practicable for it to take steps to develop and maintain the technical capability to remove the encryption it has applied to communications or data.

My worry about the amendment is that we would end up with communications services that can be used by criminals and others to communicate with each other unimpeded. We know that internet gambling sites, which have chat room provisions, are used by criminals for entirely unrelated criminal activities. I am sure that that is not the intention behind the amendment. Therefore, with respect, I urge hon. Members to reconsider it.

I will not deal in detail with amendment 847, because I do not think the hon. and learned Gentleman seeks to press it. Although I oppose it, I will move on without argument to amendments 848 and 858. We have discussed similar amendments on extraterritoriality in relation to other powers in the Bill. I pray in aid the arguments I used earlier. The provisions in the Bill allow a notice to be given in the most appropriate manner, taking into account the preferences of each company, which is an example of the adaptability of the legislation to the real world.

Amendment 848 is unnecessary because the clause is about not the acquisition but the development and maintenance of a technical capability. Conflict of law issues are much more likely to arise in respect of giving effect to a warrant, and we already have protection in the Bill for such cases. Admirable though the amendment may seem, it is therefore unnecessary.

Amendment 849 is unnecessary because it duplicates provisions in clauses 218, 216 and 217. I have discussed clause 218(3), which stipulates that the Secretary of State must consider a wide range of matters before giving a notice. That detailed assessment already speaks to the issues raised by the amendment. The Secretary of State has to be satisfied that the conduct is proportionate, justified, necessary and practicable.

The Solicitor General

- Hansard -

Copy Link

- - Excerpts

That question is about the definition of the provider. I am sure we will be able to provide some clarity on that before I draw my remarks to a conclusion. I am grateful to the hon. and learned Lady for raising that point.

Amendment 850 relates to consideration by the Secretary of State of the effect of a notice on the privacy and human rights of people both here and outside the kingdom. The amendment is unnecessary because of the point I made before, which I will reiterate: the clause is not about notices authorising an interference with privacy. A warrant provided for elsewhere in the Bill is required to do that, and we have already considered the potency of the double lock and the test to be applied. A point that is relevant to all the amendments in this group is the statutory function of the Investigatory Powers Commissioner to oversee the use of notices. I raised that in the context of national security notices, and I pray it in aid here again.

Amendment 857 seeks to narrow the category of operators to whom a technical capability notice can be given. I am worried that that would limit the effects of law enforcement. We know about the diversification of criminality and terrorism in order to find new ways to avoid protection. I am concerned that narrowing the legislation would allow loopholes to get larger. It is therefore important that the obligations relating to the technical capabilities for a range of operators can be imposed by the Government in order to ensure we keep ahead of the curve.

The hon. and learned Lady made the powerful point that the clause does not relate to personally applied encryption. However, measures in part 3 of RIPA 2000 provide for where law enforcement agencies can require an individual to remove encryption that he or she has applied themselves. We know that the Bill generally does not cover all the agencies’ powers. This is perhaps a welcome opportunity to remind ourselves of the existing provisions in part 3, so I am grateful to her.

Of course we accept that it may well be appropriate to exclude certain categories of operator from obligations under the clause—I am thinking, for example, of small businesses; we are always mindful of the burden of regulation on small businesses—but it is our intention to use secondary legislation to achieve that. It would not be appropriate in primary legislation to impose blanket exemptions on services with a communications element that are not primarily communications services. To do so would send a rather alarming and clear message to terrorists and criminals that communications over certain systems will not be monitored. That sort of carve-out recalls the point that I made about the use by criminals of seemingly unrelated or innocuous communications channels in other internet facilities or apps, in order to hide their illicit enterprises.

I know that I have taken up an inordinate amount of the Committee’s time. I am obliged to the Committee and to you, Ms Dorries, for your indulgence. I hope that I have set out the reasons why I urge hon. Members to withdraw the amendment, and I pray in aid my arguments as advancing the case that the clause should stand part of the Bill. I urge the hon. and learned Gentleman to withdraw the amendment.

Mr Hayes

- Hansard -

Copy Link

- - Excerpts

I beg to move amendment 734, in clause 219, page 170, line 8, at end insert

“(and in the application of section 218(3) and (4) in relation to varying a relevant notice, references to the notice are to be read as references to the notice as varied).”

This is a technical amendment. Ms Dorries, I should have welcomed you to the Chair earlier, but I do so now. The amendment is uncontentious and makes a drafting correction to clause 219. On that basis, it should not cause the Committee any undue concern, and I move it in that spirit.

Amendment 734 agreed to.

Clause 219, as amended, ordered to stand part of the Bill.

Clause 220

Review by the Secretary of State

The Chair

- Hansard -

Copy Link

With this it will be convenient to consider new clause 23—Review of the Operation of this Act—

“(1) The Secretary of State shall appoint an Independent Reviewer to prepare the first report on the operation of this Act within a period of six months beginning with the end of the initial period.

(2) In subsection (1) “the initial period” is the period of four years and six months beginning with the day on which this Act is passed.

(3) Subsequent reports will be prepared every five years after the first report in subsection (1).

(4) Any report prepared by the Independent Reviewer must be laid before Parliament by the Secretary of State as soon as the Secretary of State is satisfied it will not prejudice any criminal proceedings.

(5) The Secretary of State may, out of money provided by Parliament, pay a person appointed under subsection (1), both his expenses and also such allowances as the Secretary of State determines.”

I inform the Committee that I consider clause 222 and new clause 23 to be alternatives. If the Committee decides that clause 222 should stand part of the Bill, I will not put the Question on new clause 23. If the Committee decides that clause 222 should not stand part, when the Committee comes to decisions on new clauses, I will put the necessary Questions on new clause 23 without debate.

The Chair

- Hansard -

Copy Link

Exactly.

Mr Hayes

- Hansard -

Copy Link

- - Excerpts

I am not unsympathetic to that suggestion, but let me qualify that slightly. There is an argument to say that we would want another reviewer involved in the process, because what we want is as much empiricism as possible. We have neither the time nor the patience for a long debate about the philosophical character of empiricism, and I am not an empiricist, philosophically, but in terms of legislation, it matters. There is an argument for introducing still more independence into the process.

The hon. and learned Gentleman is right to say that, of course, the Secretary of State would want to take into account the views of all those in positions of authority who have taken a view on the Bill and its implementation and effects in her or his report. I certainly would not want to exclude from that consideration any of the authoritative reports published on the Bill. I think that probably meets the hon. and learned Gentleman halfway, and perhaps a little more than halfway.

Any parliamentary review would take evidence from a range of witnesses. It is, again, almost inconceivable that the independent reviewer would not be a key witness, as our current independent reviewer was to the Joint Committee and other Committees of the House. It would—again, as the Joint Committee did—be likely to appoint technical advisers, who would inform the process and work in concert with the ISC. While the Government support a post-legislative review of the Bill, that review should be conducted by Parliament—by legislators drawing on external expertise and evidence, as the Joint Committee recommended. I therefore invite hon. Members not to press the new clause to a vote.