Lord Paddick

- Hansard -

Copy Link

- - Excerpts

I am grateful for the chance to clarify my position. That is my position: we disagree with the conclusions of the Joint Committee. We believe, on balance, that the retention of internet connection records is disproportionate and unnecessary.

Technology experts recommend that companies should plan on the basis of their security measures having been breached, not just plan for the security of their databases. This makes highly intrusive personal data potentially available to criminals and hostile foreign powers. If a criminal establishes that a married man is accessing gay websites, or a hostile foreign Government establish that an intelligence officer is accessing lonely hearts websites, that could increase the risk of blackmail or entrapment. Knowing from ICRs when someone is not at home can increase the risk of burglary.

Internet connection records are hugely expensive to analyse and store. Based on estimates from Denmark, where the storage of internet connection records has already been explored extensively, the set-up costs alone in the UK could be around £1 billion. As in the UK, the cost estimates provided by the Government and telecommunications providers in Denmark varied widely. The Government therefore asked independent management consultants to establish the true cost, which confirmed that the telecommunications service providers’ estimates were the correct ones. Extrapolating from the independently verified Danish costs using the relative populations of both countries would take the set-up costs alone for internet connection records in the UK to more than £1 billion.

For those who think that this cannot be right, I should say that 80% of all the data ever created since the beginning of time has been created in the last two years. That is the rate of increase, and, with more and more devices being connected to the internet, such as those controlling our central heating, and with even refrigerators and ovens being connected to the so-called internet of things, the number of internet connection records is set to increase exponentially. Apart from not being able to see communications in among all these other internet connections, the storage costs alone will be enormous.

Taking all these arguments together, the storage of the internet connection records of everyone in the UK for 12 months, whether they are suspected of wrongdoing or not, fails the proportionality test. I quote the RUSI report again, this time on proportionality. It states:

“Intrusion must be judged as proportionate to the advantages gained, not just in cost or resource terms but also through a judgement that the degree of intrusion is matched by the seriousness of the harm to be prevented”.

The advantages gained through the storage of internet connection records are limited, the costs are prohibitive, the degree of intrusion is huge and serious harm can be prevented through other means.

Lord Strasburger

- Hansard -

Copy Link

- - Excerpts

My Lords, I rise to speak to Amendment 156A and cite the simple facts about internet connection records. They do not currently exist, would be very difficult and costly to manufacture, have very limited usefulness and collecting and storing them, far from making us safer, would expose everyone in Britain who uses the internet to new and serious risks. In addition, they are highly intrusive into everyone’s private lives and cannot be stored securely by service providers. So it is little wonder, then, that no other western democracy is collecting internet connection records, including the four other members of the “Five Eyes” partnership, the long-standing security alliance between the UK, the USA, Canada, Australia and New Zealand. In fact, the new Australian data retention law specifically excludes the retention of web browsing histories. As for the USA and Canada, David Anderson pointed out in his report that in both countries,

“there would be constitutional difficulties in such a proposal”.

As my noble friend Lord Paddick has already pointed out, Denmark is the only country known to have tried to collect internet connection records—session logs, as they called them. That project was abandoned after a review by the Danish ministry of justice found that it had been of almost no use to the police. The Home Office claims, with some justification, that the proposal in the Bill has some differences from the Danish system but this year the Danish Government came up with a revised scheme that is almost identical to the internet connection records provisions in the Bill. That was promptly abandoned when the prohibitively expensive cost estimates of the Danish service providers were confirmed as accurate by independent accountants. We must ask ourselves: what is it about our country that makes the Government believe that we should be in a stubborn minority of one on this important matter? I hope the Minister will be able to explain it to the Committee.

It is important to understand that internet connection records—ICRs—do not currently exist. Unlike itemised phone bills, which phone companies keep for billing purposes and are the basis of the current communications data regime, communications service providers—CSPs—have no need whatever for ICRs so they do not create or keep them. The Joint Committee heard from many technical and industry experts, including the committee’s two excellent technical advisers, that it would be very far from simple for CSPs to start intercepting these data as they pass through their networks. Each company would have to devise a method suitable for their own systems. They would need to install expensive and complex equipment to carry out “deep packet inspection”, which copies data packets as they fly past on fibre-optic cables. They would then need to process the collected data to find and discard the very large amount of internal housekeeping signals that keep the network healthy but have absolutely no intelligence value. The warnings the committee heard from the service providers about the difficulties of making ICRs happen and their negligible intelligence value echoed what Danish service providers told their Government before they embarked on their ill-fated and wasteful scheme.

However, if some British service providers could do better than their Danish counterparts and succeed in creating internet connection records, it would not make Britons safer; it would make us less safe. I will explain why. The very existence of internet connection records would create more hazards and dangers for the British public than they currently face, and these risks are as good as impossible to mitigate. The first rule of digital security is to not keep any data you do not need because they are all vulnerable. Yet here, we are talking about storing everything that we all do on the internet for 12 months. We should bear in mind that this information would be gold dust to those who would do us harm and would attract the efforts of hackers, blackmailers, criminals and rogue states from around the world. The prize for them would be the details of the private lives of millions of UK citizens: all our personal secrets, including our banking and credit card details; our problems with addiction; our mental and physical health; our sexual proclivities; our financial struggles; our political leanings; our hopes, our worries, our plans—just about everything about our lives.

If the Government attempt to convince themselves and this House that service providers will be able to keep these data safe, they will be deluding themselves and the British public. It is a matter of when, not if, these sensitive data get into the wrong hands. I will explain why. Our service providers make their money from transmitting our data on their way to and from our devices. They are not in the business of storing it securely. The noble Baroness, Lady Harding, who is the chief executive of TalkTalk could, if she were in her place, recount how 156,000 of her company’s customers had their data accessed by hackers last year. In February this year, SWIFT, the interbank financial transaction network, which presumably needs and has much stronger security than service providers, had $81 million stolen in one set of transactions. It would have been much more, but for a simple spelling mistake by the culprits. Canadian police reported in August last year that two clients of the infidelity website Ashley Madison had taken their own lives, following the theft of the personal data of 33 million Ashley Madison customers. Also last year, Chinese hackers stole the details of 4 million US Government employees, including their security clearances.

Baroness Jones of Moulsecoomb (GP)

- Hansard -

Copy Link

- - Excerpts

My Amendment 169AA would ensure that applications for targeted equipment interference or targeted examination warrants were granted only on application to a judicial commissioner, removing the role of the Secretary of State. It also applies additional safeguards to the correspondence of parliamentarians when a warrant for hacking is sought. I have held my tongue this afternoon despite listening to some astonishing statements. I will keep my remarks now quite brief. This is not to say that I do not feel a lot of passion for this debate, because I do, but I value your Lordships’ time and so I will be brief.

I feel very strongly that politicians and journalists are not above the law, but politicians have a unique constitutional role, not least in holding the Executive to account. There should be a strong legislative presumption against their surveillance, which should be rebutted only in clear and specific circumstances, overseen only by judicial commissioners, without political involvement, which could have bias. A single process of judicial authorisation ought to exist across the Bill, but in relation to politicians being under surveillance it is imperative to remove any political involvement.

It is illogical to suggest that an adequate replacement for an almost complete prohibition on surveillance of politicians—the Wilson doctrine—is to expressly allow it, needing only the Secretary of State to consult with the Prime Minister prior to authorising interception or hacking. In fact, instead of securing an independent authorisation process, involving two politicians rather than just one makes the process even more political, not less. It is inherent in our democracy that members of the public can correspond with their representatives in private. It is vital that anyone contacting their Member of Parliament and any material that they provide will be handled with confidentiality and sensitivity. This also applies to journalists, of course.

Keir Starmer MP QC raised the issue of communications sent by or intended for Members of Parliament and journalists in Committee in the Commons, saying that,

“the protection is not for the benefit of the journalist or the Member of Parliament but for the wider public good”—[Official Report, Commons, Investigatory Powers Bill Committee, 12/4/16; col. 191.]

People have to know that they have privacy and confidentiality. Of course, it is also essential that the protections granted to elected representatives are consistent across the different methods of surveillance. John Hayes, who was a Minister quite recently—I am not sure where he is now—said that the Government would consider the issue of consistency across the different methods of surveillance. I beg to move.

Lord Beith

- Hansard -

Copy Link

- - Excerpts

My Lords, I am very glad the noble Baroness has tabled this amendment because it enables us to clarify the extension of the things we were discussing on telephone interception into this area, which the Government are now seeking to ensure is covered in other respects and that the same principles should apply. Having said that, I am inclined to agree with the noble Lord, Lord Murphy, that what is now in the Bill is probably about the best set of safeguards that we could reasonably construct from the very important principle—I agree with the noble Baroness on this—that we should protect the ability of constituents and whistleblowers to contact elected Members to raise matters of concern. They may be matters which affect the very organisations, whether it is the intelligence services or the police, that might seek the power to initiate interception.

The noble Baroness mentioned the Wilson doctrine, which came up earlier. That adds no clarity whatever to the situation but simply obscures it. It is even further complicated now by the fact that the last Prime Minister to make a Statement on the subject is no longer the Prime Minister. It is not even clear that his successor will consider herself bound in any way by what Mr Cameron said on the subject. As I think we teased out in the previous discussion, the Wilson doctrine does not really mean anything now. There is now a statutory basis for considering how to deal with a situation where there are reasonable grounds to believe that a Member of a legislature is involved in very serious crime or associated with terrorism. That is the procedure set out in the clause that the amendment addresses.

That there should be a bizarre principle now that the Government generally have a policy of not using these sorts of powers but will come along to Parliament some day and say, “We’ve changed our minds and now we want to use these powers very widely indeed” just does not make any sense at all. Since no Prime Minister has ever come to the House to satisfy the requirements of the Wilson doctrine—that if government policy changes, you should make such a Statement—the whole thing has become absurd. We should give it a decent burial and satisfy ourselves that the provisions we put in place for governing interceptions of any kind of the communications of a legislator are satisfactory. I am of the view that the clause we have now, following the various interventions that the noble Lord, Lord Murphy, described, is a good basis for doing so.