Lord Harris of Haringey
Main Page: Lord Harris of Haringey (Labour - Life peer)Department Debates - View all Lord Harris of Haringey's debates with the Ministry of Defence
(8 years, 5 months ago)
Lords ChamberMy Lords, Amendment 93 stands in my name and that of my noble friend Lord Rosser and is on the same issue of encryption. Encryption is fundamental to keeping the whole of the digital economy safe and secure. It is widely used by business, government and consumers to protect sensitive and confidential information and as a building block in the advanced security technology which has been described.
The undermining of encryption would not simply mean that the communications of criminals could be read more easily; it would risk creating a major vulnerability in the security infrastructure, which could be exploited by various malicious actors, be they criminal gangs or rogue states. So it is important for this economy and for all the financial and other businesses that depend on it that the foundations of encryption technology remain absolutely firm.
There will be times when state security undoubtedly needs access to encrypted information for a specific investigation. This is not the problem. The problem is whether the Government would ever require a company to engineer such access, enforcing the company to create a model which, if then followed by other nations with perhaps less security than ours, would lead to a lowering of standards. We welcome the statement by the Government that they do not require industry to build back doors into their encrypted products. The Bill as it stands is perhaps not as clear as the commitments the Government have made.
Clause 226 risks making encryption intrinsically weaker if a company could be asked to build the ability to break the encryption. Amendment 93 seeks to address that. We hope the Government will understand that, when the request is made, they should not ask a company to develop a new way of breaking encryption that is not already within its ability. At the moment, the clause implies that, where companies that did not have the ability to remove the protection were issued with a notice, they would be required to build that capability so as to adhere to the notice. That is worrying the companies because of the general undermining of encryption. End-to-end encryption is essential to protect sensitive personal, commercial and security information. I think the Government share our concern that we should maintain that.
The thrust of Amendment 93 makes it explicit that a company would be required to remove the electronic protection only where it had the current capacity to do so and that it should not have to engineer it. We hope it will be accepted by the Government.
My Lords, first, I should draw attention to my interests in the register on policing and counterterrorism matters. Secondly, I should make clear that my starting point on the Bill is that it is important that the developing gaps in access to communications data are addressed to protect the nation against all sorts of threats.
In any set of counterterrorism or counterespionage measures, or whatever else it might be, you have to look at the balance and weigh the benefit to the nation in protecting its citizens by having those powers against the potential downside or consequences of exercising them.
When we come to the question contained in this group of amendments—essentially about enabling or requiring companies to break the apparent encryption—we have to look carefully at the potential downsides presented by this. The first downside, or danger, is that by enabling this to happen—by creating the mechanism and requiring companies, as my noble friend Lady Hayter said, to make new arrangements so that encryption can be broken—you create a back-door mechanism. This would be available not just to the forces of good—those who are trying to protect all our security—but to cybercriminals and those who would do us ill. Therefore you need to weigh clearly what you are trying to do against whether you are creating something that will make it easier for criminals and those who would do us harm.
The second element is the extent to which what we do in this country sets a precedent that will be seized in other countries, whose interests may not be the same as ours or as positive as ours towards their citizenry. If we create that precedent, what is to prevent Governments in other countries saying that they want the same powers and therefore doing the same? That test has to be applied to quite a number of the measures in the Bill. As I say, my starting point is that I want the state to be able to fill the gap in its access to communications data that is emerging and opening up. However, I want to hear from the Government a clear explanation of why in this set of cases the benefits outweigh the potential disbenefits.
My Lords, a number of amendments here separately seek to remove the encryption provisions from Part 9 or propose modifications to them.
I will begin with Amendments 92, 102 and 103, which propose removing the encryption provisions from Clauses 226 and 228. If these are anything other than probing amendments, I have to say that they are irresponsible proposals, which would remove the Government’s ability to give a technical capability notice to telecommunications operators requiring them to remove encryption from the communications of criminals, terrorists and foreign spies. This is a vital power, without which the ability of the police and intelligence agencies to intercept communications in an intelligible form would be considerably diluted.
Let me be clear: the Government recognise the importance of encryption. Encryption keeps people’s personal data and intellectual property secure and ensures safe online commerce. The Government work closely with industry and businesses to improve their cybersecurity. However, law enforcement and the intelligence agencies must retain the ability to require telecommunications operators to remove encryption in limited circumstances—subject to strong controls and safeguards—to address the increasing technical sophistication of those who would seek to do us harm.
Encryption is now almost ubiquitous and is the default setting for most IT products and online services. If we do not provide for access to encrypted communications when it is necessary and proportionate to do so, we must simply accept that there can be areas online beyond the reach of the law, where criminals can go about their business unimpeded and without the risk of detection. That cannot be right.
These provisions simply maintain the current legal position in relation to encryption and go no further. They retain the ability of law enforcement and the security and intelligence agencies to require companies to remove encryption that they have applied, or that has been applied on their behalf, in tightly prescribed circumstances. It would not—and under the Bill could not—be used to ask companies to do anything that it is not reasonably practicable for them to do.
The safeguards that apply to the use of these provisions have been strengthened during the Bill’s passage through Parliament. First, the “double-lock” authorisation process now applies to the giving of notices, which means that a judicial commissioner must approve the Secretary of State’s decision to give a notice. The Secretary of State must also consult the relevant operator before a notice is given. The draft codes of practice, which were published alongside the introduction of the Bill, make clear that should the telecommunications operator have concerns about the reasonableness, cost or technical feasibility of any requirements to be set out in the notice—which includes any obligations relating to the removal of encryption—it should raise them during the consultation process. Furthermore, the new privacy clause in the Bill requires that regard be given by the Secretary of State to the public interest in the integrity and security of telecommunications systems when deciding whether to give a technical capability notice.
My Lords, can the Minister clarify for me—I am sure that other noble Lords have got to the point precisely—that the requirements that the Bill seeks to create will apply only where a service provider has offered a service which most people might assume is secure and encrypted but has built in an existing arrangement which allows it to access it? Would it apply only in those circumstances? If that is not the case, perhaps the Minister could explain in what other circumstances it might apply. Can he further tell us whether there is an expectation in the Bill that, where a service provider is developing a new service, it must ensure that it has the facility to access what the user would assume are encrypted data?
The answer to both questions is that it depends on what is reasonably practicable for the communications service provider. The power will apply usually to encryption that the provider has applied or has been applied on its behalf. If there are other circumstances where it would apply, I will take advice and write to the noble Lord, but we come back to what is reasonably practicable for the company. It is why the Government maintain a dialogue with communications service providers to ascertain what is practicable and what is not, and what would be cost effective and what would not be. However, broadly speaking, the noble Lord was right.
I am sorry to press the point, but I need to understand it. I understand the Minister’s answer in respect of the requirement applying where it is reasonably practicable because the encryption arrangement has been applied by the service provider, but is he saying that there is an expectation that in building new services a service provider should create something where it is technically possible for it to undermine that encryption? If so, that would raise a very different point which is important to clarify. Is the service provider required to make it technically practicable in future services as it develops them for this to be allowed?
It might be, but it might not be. Again, it depends on what is reasonably practicable in the particular circumstances. Those circumstances might vary from provider to provider and from situation to situation, so it is not possible for me to generalise about this, but I will take further advice and write to the noble Lord about it.
I was certainly not implying that the Government wished to ban end-to-end encryption; in fact, we do not seek to ban any kind of encryption. However, there will be circumstances where it is reasonably practicable for a company to build in a facility to de-encrypt the contents of communication. It is not possible to generalise in this situation. I am advised that the Apple case to which the noble Lord referred could not occur in this country in the same way.
Is the Minister therefore saying the Government’s expectation is that service providers will in future ensure that it is reasonably practicable for them to access those communications? If that is the case, I think that he is raising a whole new group of issues.
The Bill is clear that any attempt to obtain communications data must be necessary and proportionate, or it will not be permitted. It is crucial that the Bill provides a robust, legal framework which means that the law is consistently applied correctly. That is why we are introducing the double lock involving judges signing off warrants for the most intrusive powers, which means that the Secretary of State’s decisions, other than in the most urgent cases, will be independently scrutinised before warrants can be issued. I come back to the central point here, which relates to encryption: we do not think that companies should provide safe spaces to terrorists and other criminals in which to communicate. They should maintain the ability when presented with an authorisation under UK law to access those communications.