Lord Holmes of Richmond
Main Page: Lord Holmes of Richmond (Conservative - Life peer)Department Debates - View all Lord Holmes of Richmond's debates with the Home Office
Wednesday 7th January 2026
(2 days, 10 hours ago)
Lords ChamberRead Full debate Crime and Policing Bill 2024-26 View all Crime and Policing Bill 2024-26 Debates Read Hansard Text Watch Debate Read Debate Ministerial Extracts Amendment Paper: HL Bill 111(Corrected)-VIII(a) Amendment for Committee (Supplementary to the Eighth Marshalled List) - (6 Jan 2026)
Lord Holmes of Richmond (Con)
My Lords, it is a pleasure to speak in this Committee and to follow my friend the noble Lord, Lord Clement-Jones, who perfectly and proportionately set out the principles in this amendment, which I support to every last sentence. We are now discussing a number of amendments on areas where the existing law, and this Bill as drafted, are clearly out of date and full of gaps—not least when we consider how our nation, our economy and the state itself are seeking to move to digitisation, which has such benefits for citizens and communities, our cities and our entire country. But one key element which enables, empowers and underpins almost every element of that digital transformation is effective digital ID.
There are a number of arguments that could be made at another time about the correct approach to digital ID. I would suggest that the principles around self-sovereign ID should strongly be considered. Mandation is clearly problematic, while the reasons for introducing a digital ID should be clearly made and the benefits set out. But the specifics of this amendment are clear, proportionate and timely, because a digital ID is critical and essential to availing oneself of the opportunities—and, indeed, to protecting oneself against many of the harms. To not have a digital ID protected by the criminal law would be a huge, inexplicable and indefensible gap.
If the Government want digital ID to be the means of accessing government services and to see greater digital inclusion—and, through that, the attendant and very necessary financial inclusion—action to protect our digital ID is critical. The noble Lord, Lord Clement-Jones effectively set out his amendment, which is proportionate, valid, timely and necessary. I very much look forward to the Minister accepting the principle as set out.
Lord Blencathra (Con)
My Lords, identity theft, as my noble friend Lord Holmes of Richmond said, is no longer a niche crime; it is the dominant fraud type in the UK and getting worse. In 2024, over 421,000 fraud cases were filed to the national fraud database and almost 250,000 were identity fraud filings, making identity theft the single largest category recorded by industry partners. CIFAS, the credit industry fraud avoidance system, recorded a record number of cases on the national fraud database in 2024. The organisations themselves prevented more than £2.1 billion of attempted loss, yet criminals are shifting tactics. Account takeovers rose by 76% and unauthorised SIM swaps surged, driven by the rapid adoption of AI and generative tools that let fraudsters create convincing fake documents and synthetic identities at scale.
We have all read of some of the high-profile examples: celebrity impersonation via deepfakes and cloned voices has been widely reported; manipulated videos and voice clones purporting to show public figures from Elon Musk to Martin Lewis, Holly Willoughby and others, have been used to generate investment scams and phishing campaigns. Documented victim losses include large individual losses linked to celebrity impersonation scams. One NatWest customer is reported to have lost £150,000 after responding to a scam impersonating Martin Lewis.
However, I think we are all more concerned with the tens of thousands of ordinary people who are not celebrities and who lose all their savings to these crooks. They are the victims who suffer real financial loss and damage, with long and costly recovery processes, while businesses face rising prevention costs and operational strain. I therefore strongly support the concept of the draft clause and the need for it. While it is well intentioned, I fear that it has some technical difficulties. It is a bit broad and vague about what “obtains” and “impersonate” mean. It also risks overlap with the Fraud Act, the Computer Misuse Act and the Data Protection Act, and lacks some clear defences for legitimate security research and lawful investigations. It also needs to address AI and the deepfake-specific methods, and set out what we can do about extraterritorial reach, for example, or aggravating factors for organised, large-scale operations.
We all know that my noble friend Lord Holmes of Richmond is, as we have just heard, an absolute expert on AI; he recently addressed a top-level group of the Council of Europe on this subject. May I suggest that he and the noble Lord, Lord Clement-Jones, get together with the Home Office or other government digital experts and bring back on Report a more tightly drafted amendment? Among other things, it should tighten the definitions of “obtain”, “impersonate” and “sensitive”; ensure that the mens rea is tied to dishonesty or intent to cause loss or gain; include recklessness in enabling others; limit the scope to unlawfully obtained data or use that bypasses authentication; and explicitly include AI/deepfake methods when used to bypass checks or cause reliance. It should also have clear defences for lawful authority and make sure that duplication is avoided, whether it be with the Fraud Act, the Computer Misuse Act or the Data Protection Act. Finally—I know this is an impossible ask, and that Governments find it almost impossible to do—something should be done about extraterritorial reach, because that is terribly important.
I say to the Minister: there is a gap in the legislation here. We should plug it, and we may have time to bring back on Report a more tightly drawn amendment that would deal with all the concerns of noble Lords and the possible problems I have just raised.
Lord Holmes of Richmond (Con)
My Lords, it is a pleasure again to follow my friend, the noble Lord, Lord Clement-Jones, whose amendment I agree with. I will speak to my Amendments 361 through 364, which are, as he rightly put, companions to the intent of his Amendment 360.
In simple terms we have an opportunity to change the law to benefit our cyber professionals and everything that they do to keep us safe, often—rightly and understandably—in the shadows. They deserve not only our respect but our support, and this is one small way we can support them.
I would also like to put on record my thanks and congratulations to CyberUp. It is an effective campaign because it has taken an issue, understood it at its essence and been clear, consistent and proportionate in its campaigning. It has not only been campaigning around the difficulties but offering practical and proportionate solutions. It is the very model of what a campaigning organisation should be.
We are told that 2026 is going to be the year smart glasses really take off—we will see. In 2007, the iPhone was launched. Yet the Computer Misuse Act still sits comfortably, dustily, fustily out of date on the statute book since 1990, a year when 0.5% of us UKers were online.
What has happened in the intervening 35 and a half years? Has that 0.5% doubled, trebled, increased tenfold or twentyfold? What was 0.5% in 1990 has moved on to 98.7% of the UK being online in 2025. That percentage alone should be enough to make the case for the need to urgently update the Computer Misuse Act. That Act came into being to address the issue of attacks on telephone exchanges. If the Government, or any polling organisation, went on to the streets of our country and asked anybody under the age of that of your Lordships about a telephone exchange, they might get some interesting results, but none of any benefit to the issues that we are discussing. It would be the greatest understatement to say that things have moved on since 1990.
There is a case for change, which the previous Government and this Government have largely accepted. Since 2021, work has been done on reviewing this issue, yet still we await any legislative change. What we are talking about is incredibly straightforward: giving a legal defence to legitimate cyber activities that is clear, concise, precise and proportionate.
The CMA being so chronically out of date would be a good enough reason to update it, but it is not just out of date, it is doing harm—harm to our cyber professionals, who, as I have already mentioned, do so much to keep us safe; harm to the security of our nation; and harm to the UK cyber industry.
I will share some numbers. There are 36.77 million reasons to make a change, because there have been 36.77 million cyber attacks on UK businesses and charities. There are another 27 billion reasons to make this change, because cyber attacks cost UK businesses and our economy £27 billion—not in total but year on year. Since 2021, when these various reviews began, £27 billion has been taken out of our economy year on year.
The changes in these amendments would bring the legal clarity and certainty required by our cyber professionals. If we look at other parts of the Bill, we can see where legal defences and clarity around public interest are being brought in. That would be completely analogous with what we are suggesting here with the Computer Misuse Act.
We are falling behind in terms of security, societal and economic benefits. The United States, France, Germany, Israel, Belgium and more countries already have a more appropriate regime than we do in the United Kingdom. The Government talk about growth, and quite right too. We already have a £13 billion cyber industry in this country. This change could unlock growth in the region of £3 billion, as well as in skills, training, jobs and careers, just by dint of making this very straightforward, clear, concise and proportionate change.
Dan Jarvis—partly in another place and largely at the Financial Times summit on 5 December last year—acknowledged this issue, stating that he understood the points behind it and that it was a priority for the Home Office. I therefore ask the Minister: is this a key, pressing and urgent priority? I suggest that it should be one of the Home Office’s top priorities. To that end, will the Minister agree to meet me and other colleagues across your Lordships’ House to update us on exactly where the Home Office’s thinking is, and where and when it is looking to make this change?
We have the ideal opportunity with this Bill. The time is now. In many ways, we are well overdue for the time being now. I ask the Minister: if not this Bill, what Bill? If not now, when?
Baroness Neville-Jones (Con)
My Lords, I support the amendments in this group, especially Amendments 360 and 362, tabled by the noble Lord, Lord Clement-Jones, and my noble friend Lord Holmes.
Like others, I welcome that the Government appear to have seen value in the introduction of a statutory defence for cyber security researchers. I hope that this will result in the updating of the Computer Misuse Act, for which, like others, I have been campaigning for about a decade. When it was passed, that Act was perfectly valid, but the market conditions, which have been described by colleagues, were extraordinarily different. As my noble friend Lord Holmes has rightly said, the Act is now not just neutral in the scene but actively doing damage to our national security.
The Act prevents or discourages those professionals whose work lies in researching things such as vulnerabilities in the system or threat intelligence from doing that work, because of the possibility of finding themselves in trouble with the law. It is therefore very important that we organise ourselves so that such challenges, if they exist, can be defended against as they come forward, and that the activities of our professionals can be both supported and encouraged.
I hope that, in drafting the legislation, the Government will ensure that they cover all aspects of this particular difficulty—not just vulnerabilities in the system but particularly threat intelligence, which, if we think about it for a moment, is becoming increasingly important. We need to know what is wrong with the system, and we need to know it early and before it is capable of doing real damage in each case.
This is an important amendment. When he replies, can the Minister give an assurance that the amendments that the Government will bring forward, I hope, will cover both the question of vulnerabilities and the issue of threat intelligence?
Lord Holmes of Richmond (Con)
Is the Minister able to clarify whether the review is still ongoing, or are the Government currently reviewing the review?
Lord Hanson of Flint (Lab)
I say to the noble Lord—and I hope that he takes this in the way in which I respond—that the review commenced in 2021, and it is now 2026. That is a long time for a review, and I would want to ensure that we come to some conclusions on the 1990 Act. However, at this stage, I cannot give him a timescale for the reasons that I have mentioned, about the complexity of this matter. I along with Minister Jarvis have had custody in the Home Office of these issues since July 2024; that is still three years into a review that was commissioned in 2021. I cannot give him a definitive timescale today, but I hope that the House can accept that there is active consideration of these very important matters raised by Members and that the Home Office plans to reform the Act. I hope that I will demonstrate that we are progressing this work at pace, but we need to get it right. Sadly, we are not going to be able to legislate in this Bill, but there is scope to examine issues at a later date. With those reassurances, I hope that the noble Lord will feel able to withdraw his amendment.