Julian Smith
Main Page: Julian Smith (Conservative - Skipton and Ripon)Department Debates - View all Julian Smith's debates with the Home Office
(10 years ago)
Commons ChamberWill the shadow Minister explain a bit more of her party’s thoughts on making further changes in communications data and retention, because as she knows we need to do much more in this area and this is only the start?
The right hon. Gentleman has made his point, and we will obviously disagree on what I have just said.
Our view, agreed with by most of the Joint Committee on the draft Bill, is that the data required to link an IP address to a device is one such category of data that is required and therefore we welcome what in principle clause 17 seeks to achieve. I say “in principle” because we do have some concerns about the drafting of clause 17, which is why we have tabled amendment 5.
I will give way, but, as I have said, I do want to get on to the substantive issues.
I am grateful to the shadow Minister for giving way. Will she just clarify briefly the further categories that she sees becoming more important, and where the Government and coalition can expect Labour’s support as they seek to put more of these areas on to the statute book?
What I will come on to say about some of the concerns we have might help the hon. Gentleman, but his question obviously leads into a debate that goes wider than this particular grouping, which is specifically on clause 17, and in the Committee stage of the Bill. I will therefore continue with my points on this grouping, because I am sure I would be in trouble if I did not do that.
To repeat, although in principle we support clause 17, we have some concerns about its drafting, which is why we have tabled amendment 5. Because of the broad label “relevant internet data”, we want to put it beyond doubt that the category of data to be retained under clause 17 does not extend beyond what is strictly necessary to link an IP address to a user.
In the Bill, the definition of “relevant internet data” is data which
“relates to an internet access service or an internet communications service”
and
“may be used to identify, or assist in identifying, which internet protocol address…belongs to the sender or recipient of a communication”.
While this appears to include a whole host of other traffic data, including web logs, clause 17 also states that “relevant internet data” is not “communications data” as defined by the schedule to the Data Retention Regulations 2014 or information as defined in clause 17(3)(c), which is supposed to exclude web logs from this provision. We have concerns about the accuracy with which subsection (3)(c) captures the nature of web logs, which is why we have tabled amendment 5. I hope the regulations this clause will enable will be clearer than this primary clause in the legislation. It is disappointing that, unlike with the DRIP Bill, the draft regulations have not yet been published alongside the Bill. This has caused problems for Parliament’s ability to provide proper scrutiny of this clause.
As well as accepting our amendment 5, which I hope the Minister will be able to do, I urge him to go back and look again at the drafting of clause 17 before Report. In order to increase public confidence in the use of retained communications data we need to be clear about what is retained and I believe clause 17 and the accompanying explanatory notes could be better in this regard.
The hon. Lady talks about web logs. Will she clarify the Opposition’s long-term position on that issue, and what she sees will happen in the future, when on many sides of the security spectrum there seems to be a consensus that there is a need to bring these areas in eventually?
I will just reiterate that we are dealing with clause 17, and we are very mindful that we want to ensure that web logs are not included under this clause. My focus is on getting clarity on that from the Minister. What might happen in the long term is perhaps a debate for another time. I am concerned that we get the drafting of this clause as accurate as we can.
I was talking about making sure the public are confident about what we are trying to do through clause 17, and what is included and what is not included. The data at the heart of clause 17 appear to be what is commonly referred to as “IP resolution data”, but this term does not appear in the text of the explanatory notes, and I hope the Minister will be able to explain whether they do refer to the same thing, as there is some confusion here.
As I explained, clause 17 is meant to plug a gap within the current framework for data retention, but when we compare the language of the Bill with the text of the current regulations, the gap is not immediately obvious. Clause 17 refers to data which
“relates to an internet access service or an internet communications service”
and
“may be used to identify, or assist in identifying, which internet protocol address…belongs to the sender or recipient of a communication”.
However, part 3, paragraph 11 of the schedule to the existing regulations refers to the subscriber information
“to whom an Internet Protocol (IP) address, user ID or telephone number was allocated at the time of the communication.”
I ask the Minister to look at this and see whether he cannot amend the language to make clear on the face of the Bill the exact data category that will be provided for in the regulations.
I am also concerned about the degree to which clause 17 relies on definitions provided from the Regulation of Investigatory Powers Act 2000. I am sure the Minister is aware of the findings of the Joint Committee on the Draft Communications Data Bill that the definitions used in RIPA were out of date and needed to be replaced. Given this, it is surprising to see both the definition of “communication” and section (3)(c) of the clause rely so heavily on RIPA definitions.
I would also like the Minister look again at the definition of “identifier.” According to clause 17
“‘identifier’ means an identifier used to facilitate the transmission of a communication”.
This is at least partly circular, and again adds to the confusion around this clause. Finally, in subsection (2)(b) will the Minister confirm that he does indeed mean “paragraph (a)” rather than subsection (a)?
In addition to the five questions above regarding the drafting, I have 10 questions about the implementation that I hope the Minister will be able to address in his comments. First, will he tell the House whether he expects to introduce new retention regulations under DRIPA section 1, or will the Government be seeking to amend the Data Retention Regulations 2014? Secondly, and on a similar note, will he update the House on when he expects to publish these draft regulations and when he hopes they will be in force? Thirdly, when the data covered under clause 17 is traffic data, while the relevant authority wants to reveal the subscriber information behind this, will this be covered under a single request under RIPA, or could clause 17 data simply lead to a disclosure which requires a further RIPA request to be made? Fourthly—this is particularly relevant to amendment 5—will he assure the House that the retention by the Crown Prosecution Service of this relevant internet data can be done in such a way that does not require deep package inspections of the type that would be considered intrusive surveillance? Fifthly—and again relating to amendment 5—will the Minister explain in practice how the regulations will separate out communications going to a device, which could be a web log, such as access to an app, which would be considered a website, and communications going to a device which enables a communication, such as an app which facilitates web e-mail storage?
Sixthly, will the Minister confirm that the extra reporting requirements imposed on the interception of communications commissioner by the DRIP Act will extend to the data retained and subsequently requested under clause 17? Will the Minister be providing additional resources to the commissioner to meet those additional requirements?
The hon. Member for Kingston upon Hull North (Diana Johnson) is right to seek clarification to satisfy herself and her colleagues that clause 17 achieves its intended purpose and no more. Its intended purpose is reasonable: to keep up with the technological changes that lead evildoers to move from one technology to another, and become more difficult to track as they do so.
Does my right hon. Friend agree that this provision does not keep up with the technology, and that much more has to happen and will happen? Will he clarify his party’s position on the changes that will have to come?
The hon. Gentleman has a strange desire, which he has expressed during a previous speech, to extend the debate beyond the bounds of clause 17 and the amendments to it. I do not think we should be drawn into that at the moment, except to make the general point that all processes involving intrusion into people’s private communications should have high levels of justification before they are used at all, and protections should be provided by various safeguards and authorisations. Finding the right balance for different levels of communication is a difficult task, and I expect a great deal of work will need to be done. Most of us in this House, and certainly most in my party, do not want, either by design or accidental discovery, a great deal of personal information about people to get in the hands of the state and its employees without any reasonable justification. On a matter that will be raised when the hon. Member for Hayes and Harlington (John McDonnell) speaks, nor do we want the processes of investigation by journalists to be impaired by a fear that sources will be compromised from the beginning. There are very good reasons for extreme caution in this area, but I believe the Government have exercised that caution and sought to devise a process to deal with a particular and recognisable difficulty.
I wish to begin by providing some context. The Intelligence and Security Committee’s report in February 2013 referred to the Home Office’s assessment that there was a
“25% shortfall in the communications data that public authorities would wish to access and what they are currently able to access.”
That is, of course, an estimate, as it is not possible to be precise about what is unknowable, but the existence of a shortfall is a legitimate cause for concern. The report goes on to suggest that
“left unchecked, this gap will increase.”
Perhaps the Minister will be able to say whether it has increased and, if so, whether by an appreciable amount. It would be interesting to know that, and I suspect it has increased.
It is worth spending a little more time examining what we know about both the scale and the sources of interceptions that take place. In his annual report for 2013, the interception of communications commissioner, Sir Anthony May, noted that the total number of authorisations for interception of communications data under part 1 of RIPA stood at 514,608, down from 570,135 in 2012. He pointed out that these figures do not represent sole individuals, because
“public authorities often make multiple requests for communications data in the course of a single investigation but also make multiple requests for communications data in relation to the same individual.”
The figures give some indication of the scale of this, rather than the number of individuals who are covered. Under the same process, Sir Anthony notes that 87.7% of authorisations were at the request of the police and law enforcement agencies, 11.5% were from the intelligence agencies, and the rest were from local and other public bodies.
Worldwide, the scale of online communications is daunting. About 3 billion people have access to the internet, and during the time I have been speaking more than 200 million e-mails will have been sent, 2 million Google searches will have been made and there will have been 6 million Facebook views. So why is it considered important that the police, intelligence agencies and other bodies have access to some of the data records of these online communications? Overwhelmingly, internet traffic is benign; it is people using the various platforms for perfectly legitimate and legal purposes. However, a small proportion—I estimate it to be no more than a tiny fraction of 1%—is used for illegal purposes, and my hon. Friend the Member for Kingston upon Hull North (Diana Johnson) referred to some other purposes that are cause for concern.
My hon. Friend’s new clause 2 would, if agreed, require the Home Secretary to review the time taken by communications service providers to disclose information linking an individual to an internet protocol address. That is important for two reasons. The first is that, as we tragically discovered with Fusilier Lee Rigby’s murder, CSPs will, on occasion, receive information that in some cases could crucially be the catalyst for a warrant to enable greater surveillance measures on an individual to take place. In turn that can, in some cases, prevent a terrorist attack.
IP addresses are the key to unlocking who is contacting whom, and that can be critical. But they are not straightforward. Typically, a communications service provider with, say, 10 million to 15 million customers would have allocated to it 100,000 IP addresses. For the larger commercial bodies or public bodies, a series of static IP addresses will be allocated. But for the vast majority of users, IP addresses are dynamic. In practice, a range of numbers is allocated randomly to customers, which is why the former head of GCHQ used the analogy of finding a needle in a haystack.
Secondly, the range of platforms is constantly changing, with new ones entering the market all the time. A good example of that is WhatsApp, which was recently acquired by Facebook for $22 billion. On 1 April, that platform, which is adaptable and easy to use, handled, over a 24-hour period, 64 billion messages, 20 billion of which were sent and 44 billion of which were received. In such a dynamic sphere of activity, it is vital that procedures are in place and properly monitored to ensure that, when the security and intelligence services need to locate a needle in a haystack, the haystack is still in place, and that is what this section of the Bill seeks to ensure. It means that urgent inquiries of either a historical or planned terrorist or criminal activity can be located.
The right hon. Gentleman makes a powerful case for us to go further. What would he do now? He has made it clear that there are many technologies that need much more scrutiny and oversight. What would he do if he were in charge?
Had the hon. Gentleman waited a while longer, I was about to say what more could be done. It is right that we have a statutory provision, and, subject to the concerns that my hon. Friend the Member for Kingston upon Hull North highlighted being satisfied, the provisions contained in the Bill are appropriate. However, there is a problem that we cannot resolve within the context of our own domestic legislation. Many of the communications service providers are not based in the UK; they are based mostly in the United States. Increasingly, the Republic of Ireland is seen as a location of choice for some companies. Google and perhaps one other CSP have already relocated there. It is increasingly clear that whatever legislation we put in place, it will not, of itself, be enough to resolve the problem.
Exactly. I was not arguing for preferential status for journalists—God forbid that I do that here. I was coming on to that point: this is about the ability to make sure a source is protected—as we all know, sources are often whistleblowers, blowing the whistle on abuses by public authorities and others—but it is also relevant to the protection of journalists themselves. We have seen across the world how, when the confidentiality of journalists’ sources is undermined, journalists become just as much a target as their sources, and in recent years large numbers of journalists in various countries have died as a result of persecution. What I am trying to say is that it is critical that we protect the role journalists play and enable them to undertake their work.
We have legislated in accordance with that principle—in the Police and Criminal Evidence Act 1984, for example. I agree with my right hon. Friend the Member for Knowsley (Mr Howarth) that it is always difficult to find the mechanism, but the mechanism under PACE was the ability of the court to determine whether a production order should be made. We gave it over to the courts to determine that. What was important about that is that the journalist was notified of the application and could contest it before the court, and a decision would then be made that commanded the confidence of all those involved. The classic case since then is when the police failed to get an order under PACE and then used RIPA to obtain an order against a journalist to get information relating to articles that were being written, including the sources of that information. I think it was generally felt in the House that that was not what we intended when we passed PACE and was not in the spirit of RIPA. We have for some time consistently tried to get Government and this House—the responsibility falls on the shoulders of us all—to do exactly as my right hon. Friend said and to find an appropriate mechanism.
I tabled new clause 1 because I cannot find an effective mechanism other than the use of the courts at some stage. My hon. Friend the Member for Kingston upon Hull North (Diana Johnson) asked whether it is a mechanism to enable the court to determine whether due process has been followed or the merits of a case. I have left that open for now because I welcome the discussion, but in my view, it is both.
I hope the hon. Gentleman is not going to ask me a detailed question about my long-term future policy.
Does the hon. Gentleman not agree that a mechanism is already in place, because David Anderson is conducting a review of the rules and regulations? In tabling the amendments, the hon. Gentleman has jumped the gun. Surely we have to wait for David Anderson’s report.
That is a valid point. I tabled the amendments to say that there is a sense of urgency. Something needs to be done now; some steps need to be taken immediately—before the Anderson review, to be frank.
I have raised this matter previously and engaged in dialogue with the Minister. I have a clutch of papers here, because I wanted to be sure of the accuracy of my remarks. I raised it way back on 22 July, in the debate on regulations made under DRIPA. The Minister responded in a letter received on 28 July:
“The Government…intend to bring forward amendments to the Acquisition and Disclosure Code of Practice to make this clear”.
What he was making clear was, I think, the importance of some form of understanding of the role of journalists and their sources, and therefore sensitivity in the approach taken. That becomes even more important now that in this legislation we are extending the range of the data to be collected. I take the point that this does not identify individuals, but on the information provided by Big Brother Watch and contained in the House of Commons research paper, the definitions have been narrowed. Big Brother Watch is concerned about
“the possibility of more personal information being accessed than first implied. … This means that the identity of an individual has the potential to be fully revealed by these powers.”
There is thus some uncertainty about how the powers could be used to drill down into the information to identify an individual and therefore a source and put everyone at risk.
I do not believe that the code has yet been published. I will give way to the Minister if he wishes to tell me.
I recognise that in certain circumstances that might be appropriate, but the challenge in this case is the fast-paced nature of technology, which means we would always be playing catch-up. The original RIPA legislation was therefore intended to be technology-neutral so that, if the technology moved on, it was still able to capture that, just as our criminal law is intended to cover all forms of communications. I think that might be a better way of seeking to achieve that. However, that is part and parcel of David Anderson’s review of RIPA, and therefore the existing legislation and a number of the themes that have been touched on by right hon. and hon. Members in this debate, and also the continuing utility of these provisions.
It will be almost two years since the Liberal Democrats and one or two other Members scuppered the Communications Data Bill. What is the Minister’s assessment of the risk of waiting until next year, because my concern is that the enemy is not going away?
This issue is not going away, and we need to make further changes. I can see the eroding capability of our law enforcement and security agencies. While this plugs an element, there is still more to be done to ensure that our police and security services are able to protect us, and that there is evidence that can be presented in court. On these issues relating to communications data, we are talking about evidence, not merely intelligence. These are hard pieces of information that can be presented in court to secure prosecutions. This is really essential because of the underpinning that it provides to our prosecutorial system.
The Bill does not incorporate provisions on weblogs, but apps and weblogs can be directly instructive in this respect, and the House will need to confront that in, I hope, an informed way. The reviews that the Intelligence and Security Committee and David Anderson are undertaking will inform that debate rather than its being completely informed by belief or emotion, important as those elements are to ensure that it is properly reflective of the view of our communities and the public. We must ensure that the facts are there as we examine the picture, in order to provide the basis for a rational debate when the House considers the legislation it will need to pass before December 2016.
We are all aware that Eurotunnel is expanding its services, with more train services going to the continent. Will the Minister confirm that the provisions will apply to those services?
Under existing regulations and requirements, existing Eurostar and freight services through the channel tunnel are already obliged to meet security requirements on screening and other steps. The intent behind the provisions in the Bill is to look to a future where we have open access, and ensure we have the ability to impose similar controls, assurances and protections in relation to security. It is precisely for that future-proofing that we are introducing the provisions. I hope that explanation is helpful to the Committee.