Lord Beith
Main Page: Lord Beith (Liberal Democrat - Life peer)Department Debates - View all Lord Beith's debates with the Ministry of Defence
(8 years, 1 month ago)
Lords ChamberMy Lords, Amendment 250A would define a technical capability notice as,
“specifying the distinct service or product to which the notice applies”.
I do not believe this amendment is necessary. The safeguards that apply to the giving of a notice under the Bill already ensure that a technical capability notice cannot be of a generic nature. I will not go into detail here about the lengthy process that must be undertaken before a notice can be given; we have discussed them at length previously and we will undoubtedly review them again shortly during our discussions on encryption. But it might be helpful for me to summarise.
Before giving a notice, the Secretary of State must consult the company concerned. This process will ensure that the company is fully aware of which services the notice applies to. The decision to issue a notice must be approved by the Secretary of State and a judicial commissioner. The obligations set out in the notice must be clear so that the Secretary of State and judicial commissioner can take a view as to the necessity and proportionality of the conduct required. As I have already mentioned, we propose a similar role for the judicial commissioner when a notice is varied. The operator may raise any concerns about the requirements to be set out in the notice, including any lack of clarity regarding their scope, during the consultation process. The operator may also seek a formal review of their obligations, as provided for in Clause 233. The safeguards which apply to the giving of a notice have been strengthened during the Bill’s passage through Parliament, and will ensure that the regime provided for under the Bill will be more targeted than that under existing legislation. It is for these reasons that I consider the amendment unnecessary.
Amendment 251A seeks to narrow the category of operators to whom a technical capability notice could be given. This change would exclude operators that provide services that have a communications element but are not primarily a communication service. This amendment, which has already been discussed in the Commons, is also unnecessary and, in my view, risks dangerously limiting the capabilities of law enforcement and the security and intelligence agencies. We are aware that the manner in which criminals and terrorists communicate is diversifying, as they attempt to find new ways to evade detection. We cannot be in a situation where terrorists, paedophiles and other criminals can use technology to escape justice. As David Anderson said,
“no-go areas for law enforcement should be minimised as far as possible, whether in the physical or the digital world”.
It is important that the Government can continue to impose obligations relating to technical capabilities on a range of operators to ensure that law enforcement and the security and intelligence agencies can access, in a timely manner, communications of criminals and terrorists using less conventional services, such as those offered by gaming service providers and online marketplaces. It may be appropriate to exclude certain categories of operators from obligations under this clause, such as small businesses, but it is our intention to use secondary legislation to do so. It would not be appropriate to impose blanket exemptions on services that have a communications element but are primarily not a communication service, since to do so would make it clear to terrorists and criminals that communications over such systems could not be monitored.
For all the reasons I have set out, I hope that the noble Lord, Lord Paddick, will feel able to withdraw his amendment.
Before the noble Earl sits down, I refer to a point which at least needs to be borne in mind in drafting regulations. In most circumstances, if the Government impose upon a business an obligation of some kind, and behave totally unreasonably in doing so—or the business thinks that the Government are behaving unreasonably—the matter will end up in public discussion and the company has the weapon of saying to the public at large, “The Government are asking us to do something unreasonable”. That must not happen in these circumstances because clearly secrecy must be maintained. Therefore, the company is in a weaker position than it would be in the normal exchange between government and business. I hope that Ministers will recognise that fact.
With the leave of the House, I am grateful to the noble Lord for raising that point, which I think will come up in the next group of amendments when we discuss encryption because it is centre stage in that issue. He is absolutely right and I hope that I can assuage his concerns in the next debate.
My Lords, I hope that the House will allow me to speak at somewhat greater length than usual in responding to these amendments. I recognise the concern that lies behind them and I also recognise that, although we debated the Bill’s provisions on encryption in Committee, there is a need to correct a number of misconceptions that have been expressed and to set out the reality of the Government’s position on encryption. I would also like to make clear what the provisions in the Bill do and, crucially, what they do not do, and to explain why these provisions are so important to our law enforcement and intelligence agencies. I hope that by, setting this out, I can reassure noble Lords that the amendments are not necessary.
As we have made clear before, the Government recognise the importance of encryption. It keeps people’s personal data and intellectual property secure and ensures safe online commerce. The Government work closely with industry and businesses to improve their cybersecurity. For example, GCHQ plays a vital information assurance role, providing advice and guidance to enable government, industry and the public to protect their IT systems and use the internet safely. Indeed, the director of GCHQ said in March that he is accountable to the Prime Minister just as much, if not more, for the state of cybersecurity in the UK as he is for intelligence collection.
In the past two years, the security and intelligence agencies have disclosed vulnerabilities in every major mobile and desktop platform, including the big names that underpin British business. You do not have to take the Government’s word for that. In September 2015, Apple publicly credited the information assurance arm of GCHQ with the detection of a vulnerability in its operating system for iPhones and iPads, which could otherwise have been exploited by criminals to disrupt devices and extract information from them. As a result, this vulnerability could be fixed.
The assertion that the Government are opposed to encryption or would legislate to undermine it is fanciful. However, the Government and Parliament also have a responsibility to ensure that our security and intelligence services and law enforcement agencies have the capabilities necessary to keep our citizens safe. Encryption is now almost ubiquitous and is the default setting for most IT products and online services. While this technology is primarily used by law-abiding citizens, it can also be used—easily and cheaply—by terrorists and other criminals. Therefore, it can only be right that we retain the ability, as currently exists in legislation, to require a telecommunications operator to remove encryption in limited circumstances, subject to strong controls and safeguards. If we do not provide for this ability, then we must simply accept that there can be areas online beyond the reach of the law where criminals can go about their business unimpeded and without the risk of detection. That would be both irresponsible and wrong.
That is our starting principle, and it is one that we share with David Anderson QC. I have quoted this before, but he stated in his investigatory powers review, A Question of Trust:
“My first principle is that no-go areas for law enforcement should be minimised as far as possible, whether in the physical or digital world”.
This principle was also shared by the Joint Committee on the draft Bill and the Science and Technology Committee, both of which recognised that, in tightly prescribed circumstances, it should remain possible for our law enforcement agencies and security and intelligence services to be able to access unencrypted communications or data. That is exactly what Clauses 229 to 234 of the Bill provide for: strong safeguards to ensure that obligations to remove encryption can be imposed only in limited circumstances and subject to rigorous controls.
Clause 229 enables the Secretary of State to give a technical capability notice to a telecommunications operator in relation to interception, communications data or equipment interference. As part of maintaining a technical capability, the Bill makes clear at Clause 229(5)(c) that the obligations that may be imposed on an operator by the Secretary of State can include the removal of encryption. Before a technical capability notice is given, the Secretary of State must specifically consider the technical feasibility and likely cost of complying with it. Clause 231(4) provides that this consideration must explicitly take account of any obligations to remove encryption.
The Secretary of State must also consult the relevant operator before a notice is given. The draft codes of practice, which were published on 4 October, make clear that should the telecommunications operator have concerns about the reasonableness, cost or technical feasibility of any requirements to be set out in the notice, which of course includes any obligations relating to the removal of encryption, it should raise these concerns during the consultation process.
We have also amended the Bill to make clear that the Secretary of State may give a technical capability notice only where he or she considers that it is necessary and proportionate to do so, and, under Clause 230, that decision must also now be approved by a judicial commissioner, placing the stringent safeguard of the double lock on to any giving of a notice to require the removal of encryption. Clause 2 of the Bill, the privacy clause, also makes explicit that, before the Secretary of State may decide to give a notice, he or she must have regard to the public interest in the integrity and security of telecommunications systems.
In addition, a telecommunications operator that is given a technical capability notice may refer any aspect of the notice, including obligations relating to the removal of encryption, back to the Secretary of State for a review. In undertaking such a review, the Secretary of State must consult the Technical Advisory Board in relation to the technical and financial requirements of the notice, as well as a judicial commissioner in relation to its proportionality. We have amended the review clauses in the Bill to strengthen these provisions further. Where the Secretary of State decides that the outcome of the review should be to vary or confirm the effect of the notice, rather than to revoke it, that decision must be approved by the Investigatory Powers Commissioner.
The Bill also makes absolutely clear that, in line with current practice, obligations imposed on telecommunications operators to remove encryption may relate only to encryption applied by or on behalf of the company on whom the obligation is being placed. That ensures that such an obligation cannot require a telecommunications operator to remove encryption applied by other companies to data transiting their network. As we have already outlined, we have also now tabled a government amendment that would further strengthen the Bill’s provisions on technical capability notices. This amendment makes clear that the Secretary of State may vary a notice only where they consider that it is necessary and proportionate to do so. The amendment also makes clear that, in circumstances where a notice is being varied in such a way that would impose new obligations on the operator, the variation must be approved by a judicial commissioner.
Furthermore, obligations imposed under a technical capability notice to remove encryption require the relevant operator to maintain the capability to remove encryption when it is subsequently served with a warrant, notice or authorisation, rather than requiring it to remove encryption per se. That means that companies will not be forced to hand over encryption keys to the Government. Such a warrant, notice or authorisation will be subject to the double lock of Secretary of State and judicial commissioner approval, and the company on whom the warrant is served will not be required to take any steps, such as the removal of encryption, if they are not reasonably practicable steps for that company to take. So a technical capability notice could not, in itself, authorise an interference with privacy. It would simply require a capability to be maintained that would allow a telecommunications operator to give effect to a warrant quickly and securely including, where applicable, the ability to remove encryption.
That is an enormously long list of safeguards. Indeed, it is difficult to think what more the Government could do. These safeguards ensure that an obligation to remove encryption under Clause 229 of the Bill will be subject to very strict controls and may be imposed only where it is necessary and proportionate, technically feasible and reasonably practicable for the relevant operator to comply. Let me be clear: the Bill’s provisions on encryption simply maintain and clarify the current legal position, and apply strengthened safeguards to those provisions. They will mean that our law enforcement and security and intelligence agencies maintain the ability to require telecommunications operators to remove encryption in very tightly defined circumstances.
I would also like to make absolutely clear what the Bill does not provide for on encryption.
Could the Minister help those of us who are not deeply technical in these matters? We fear that circumstances by their nature cannot be technical and defined. In at least some cases, the consequences of serving a notice would be that the operator would have to create a significant weakness, which would apply far beyond the objective for which the notice was being served, and the operator would have to say in future to its customers, “This system is not as strong as we would like it to be”.
We come back to the test of reasonable practicability here. I am about to come on to what the Bill does not provide for on encryption and I hope that this will help the noble Lord.
The Bill does not ban encryption or do anything to limit its use. The Bill will not be used to force providers to undermine their business models, to create so-called back doors or to compromise encryption keys. It will not be used to prevent new encrypted products or services from being launched and it will not undermine internet security.