John Glen (Salisbury) (Con)

- Hansard -

Copy Link

-

I strongly support the principles behind the Bill, and I accept the provision for ICRs and the progress made towards achieving a balance between politicians and judges having oversight.

In the few minutes I have available, I want to focus on issues relating to technology. The Bill needs to be robust enough to deal both with technology as it actually is and with how rogue actors can use it. The principle of the security services having the right to intercept communications and to obtain relevant communications data, subject to the safeguards in the Bill, is absolutely vital. As a consequence, certain technical obligations must be placed on telecommunications operators to enable that to occur. In particular, clause 218(4) allows the Secretary of State to issue a notice to a communications provider, creating an obligation to remove

“electronic protection applied by or on behalf of that person to any communications or data”.

My concern is that the Bill must differentiate sufficiently between two very different ways of removing electronic protection. One is technically called an instance break, which is where one instance of a communication is accessed and decrypted. Not all communications of that type are decrypted. If we want to access another communication, we have to do the process again. The second is technically called a class break, which is where removal of electronic protection is not at the individual level, but at the level of the data encryption system itself. This is the problematic form of backdoors, where a platform or protocol has an inbuilt vulnerability that should, in theory, be known only by software engineers. Once we have the generic override, it can be applied to any communication that uses that platform or protocol.

We must acknowledge the increasing technological sophistication of the individuals who threaten our security, and that is obviously why the Government are introducing this Bill. Given that, we cannot realistically expect the inbuilt vulnerabilities in data encryption to remain secret only to those who create them. My concern is that, sooner or later, we should expect those vulnerabilities to be maliciously exploited by the same groups that we are trying to fight. Those measures intended to increase security would pose a greater security risk if exploited, as malign forces could then access a whole set of encrypted communications, not just one instance.

The distinction between an instance and a class break has long been recognised by the industry and is technically clear cut. It is usually much less financially costly to build in a backdoor, but much more dangerous to the integrity of a communications system. The Bill as it stands takes account of the financial cost of complying with a notice, but not the wider security implications. I hope that the Minister will seriously consider explicitly ruling out any obligation to create inbuilt vulnerabilities in software or communications systems and to require the Secretary of State to have regard to the preservation of electronic protection as a whole when she authorises the removal of it in one instance.

For this Bill to work, it must take seriously technology as it actually is, not as we hope that it might be. Creating backdoors may be cost-effective, but could create even greater vulnerabilities in our communications infrastructure and present a critical danger to national security. I support this Bill in its principles and its safeguards, but I hope that this listening posture of the Government will continue so that we can absolutely ensure that we get it right.