Lord Strasburger
Main Page: Lord Strasburger (Liberal Democrat - Life peer)Department Debates - View all Lord Strasburger's debates with the Ministry of Defence
(8 years, 4 months ago)
Lords ChamberMy Lords, that is precisely what this amendment is seeking to do.
My Lords, I rise to speak to Amendment 41, which seeks to remove the requirement for a judicial commissioner to apply judicial review principles when approving warrants. I do so with some trepidation as I am only the second noble Lord who is not a lawyer to venture into this very dangerous territory, but I will have a go. We heard a lot about this subject on the Joint Committee on the Bill and a large amount of both written and oral evidence was presented to us. I have reviewed it all again in preparation for today and would like to make the following points.
Surely applying any rules at all to how a person is to make a decision must have the effect of constraining how that person makes their decision. As such, constraining the judicial commissioner to judicial review rules must reduce their contribution to the decision compared to that of the Secretary of State, who has no such rules or constraints to limit how she makes her decision. If we retain the judicial review principle for the judicial commissioner, we no longer have a true double lock; we have a 1.5, or 1.4 lock, or whatever. If we want a true double lock—the phrase the Government keep using—whereby both the Secretary of State and the judicial commissioner consider the application in identical ways, as we on these Benches believe is the ideal, then we cannot constrain one of the decision-makers to special rules, whether those of judicial review or otherwise.
Several witnesses to the Joint Committee pointed out a major flaw in the case for judicial review rules to apply. Normally during a judicial review, both parties are present and have the opportunity to make their case for and against the decision being sought. In the case of a warrant application, only one party is present and the judicial commissioner has to imagine what objections the person who is the subject of the warrant might offer, so it is not possible to truly apply judicial review rules. In his oral evidence on this aspect, Matthew Ryder QC said that,
“normally in judicial review, there is an element of an adversarial process. In other words, the judge is assessing it with somebody making representations in relation to the other side. There will be no adversarial process built into this, the way it stands at the moment. You will have a judicial review, but no one putting forward the argument to the judge in a different situation. Now, that is not unheard of; you have that in other situations, but not in … a judicial review situation”.
So far, no proponent of judicial review rules has explained why the judicial commissioner should be limited in his or her consideration of the warrant application, so perhaps one or more noble Lords will do so during this debate. The Home Secretary suggested in her oral evidence, somewhat counterintuitively, that being constrained would give the judicial commissioner more flexibility, when the opposite would seem to be the case. I will listen with interest to the debate on this amendment. In the meantime, I commend it to the House.
In moving Amendment 81, I shall also speak to Amendment 239. I am not proposing, now, a facile change in the rules of evidence—but given the subject matter of the Bill, it might be a little odd not to explore the issue of intercept as evidence a little. Amendment 81 contains an enabling clause; enabling clauses go a bit against the grain, but for this purpose I think one is appropriate. It would require consultation and the affirmative resolution—but this is a probing amendment.
I know about the concerns that intercept as evidence would be massively expensive, because of the entirely proper rules of disclosure of evidence to the defence and the prosecution. Intercepted phone calls would not just be monitored for intelligence, with rough notes made and conversations only partially transcribed; this would mean a huge amount of transcription, and maybe translation as well, plus storage and indexation. Disclosure could, I accept, have operational implications, through disclosing techniques and the capacity of the agencies.
On the other hand, intercept evidence could significantly influence the outcome of a trial, but at the moment is simply unused. Lord Lloyd of Berwick said:
“We know who the terrorists are, but we exclude the only evidence which has any chance of getting them convicted”. —[Offcial Report, 19/6/00; cols 109-10,]
So we spend a lot of resources on spying on those implicated in organised crime and terrorism, but we cannot prosecute them or prevent further crime. Other common law countries use such evidence. I am aware that their legal systems are said to be “less demanding”, but does that not suggest that we should not abandon the idea?
The right to a fair trial raises the issue of all evidence being available to both prosecution and defence. The prosecution has the advantage of being aware of evidence but not using it, and that puts the defence at a disadvantage. Further, I understand that a ban applies only to interceptions in the UK. Recordings and transcripts of intercepted calls made in other countries are used, for instance in prosecutions for drug trafficking. Nor is there a bar on introducing evidence of phone calls made from prisons. I believe that the Ian Huntley Soham case featured such evidence. One can also use a recording from a hidden bug as evidence, but one cannot use interception as evidence.
It is argued that our system of public interest immunity could be applied to protect the details of investigative techniques—the subject of the concern that I raised a moment ago. The Privy Council’s review on that issue, which reported in 2008, concluded that it would be possible to provide for use as evidence by developing a “robust legal model” with public interest immunity as the basis, which would be human rights compliant. I appreciate that that review was the seventh report to Ministers in 13 years, so this matter has not gone unexamined.
However, we are now in a position whereby our criminal justice system cannot accommodate what will often be the best evidence in a case, so cases that should be prosecuted may not be. Given advances in technology—and those no doubt to come—it must be right to keep the issue on the agenda, which is what the amendment seeks to do. I beg to move.
My Lords, I have a question for the Government. Am I correct in believing that evidence derived from equipment interference is permitted to be used in court? If so, could not equipment interference lead to an equally large and costly process of evidence-gathering? Why is there a difference between the two sources of evidence?
My Lords, the Government are, of course, committed to securing the maximum number of convictions in terrorism and serious crime cases. The experience of other countries is that the use of evidence gathered through interception may help to achieve that. For that reason, the Government have considered whether there is a practical way to allow the use of intercept as evidence in criminal proceedings.
The issue of whether intercept material can be used as evidence has been considered in great depth no less than eight times since 1993. Each of those reviews—published by Conservative, Labour and coalition Governments—has concluded that the current prohibition which does not allow intercept material to be used as evidence should remain in place. This is the position maintained in statute since 1985, and provided for in the Bill at Clause 53.
The most recent review, in 2014, was overseen by an advisory group of privy counsellors from all parties, including my noble friend Lord Howard of Lympne and the noble Lord, Lord Beith, who is no longer in his place. That review went further than any previous review by considering the costs and benefits of a regime for the use of intercept as evidence, even if that meant considerable operational upheaval for the intercepting agencies. The review found that the substantial costs and risks of introducing the use of intercept material as evidence in court would outweigh the uncertain benefits.
When the conclusions of the latest review were published in December 2014, the Home Secretary undertook to keep the issue under review and to revisit it should circumstances change. But there has been no significant change since that time. We appreciate that the amendment is intended to provide for a change of circumstances to be reflected in secondary legislation. However, we consider that such a significant change as introducing intercept as evidence would be appropriate for primary legislation rather than regulations, even those subject to the affirmative procedure.
Finally, on the point raised a moment ago, it is the case that material derived from equipment interference is used in evidence. That has, historically, always been the case, and there is no need to move away from that established position. I invite the noble Baroness to withdraw her amendment.
I thank the noble and learned Lord for his reply, but my question was: why is it in one case suitable to use the evidence in court, but in the other not?
Because it has been established as a matter of evidential law over many years that it can be admitted. Therefore, adequate provision is in place for its admission as evidence.
My Lords, I am speaking to Amendments 92, 102 and 103 in my name. These amendments address aspects of two extremely strong powers granted to Ministers by the Bill which are tucked away at the back in Clauses 225 and 226. As we have heard, they are about national security notices and technical capability notices. Although they are not listed as powers under the Bill, they are, in fact, very strong, broad powers.
The national security notices permit, with some caveats, the Secretary of State to instruct the telecommunications operator to do whatever she considers necessary in the interests of national security. Technical capability notices enable, with some caveats, the Secretary of State to instruct an operator to develop or maintain a capability to assist the authorities. Both types of notice must be kept secret by the recipient, if the Secretary of State so wishes. In a recent amendment, the Government added the need for a judicial commissioner to approve both types of notice. This is a welcome step forward, as is the forthcoming repeal of Section 94 of the Telecommunications Act 1984, which has been used in the past to create new powers.
These three amendments address one particular capability specified in Clause 226(5)(c)—the removal of electronic protection. All the experts who gave evidence to the Joint Committee, and with whom I have discussed this matter since, agree that the phrase “removal of electronic protection” must include decryption of encrypted information and/or weakening of encryption in some way. They are deeply alarmed about it.
Encryption is a vital feature of all the financial, commercial and personal activity on the internet. The Government have confirmed on several occasions, including in answer to Questions in this House, that any weakening of our back-door access to encryption would threaten the entire operation of large parts of the digital economy. Once the integrity of cryptosecurity has been compromised for one set of users—in this case the Government—that weakness is available for everyone, including hackers, criminals, terrorists and hostile Governments, to exploit. Furthermore, as my noble friend Lord Paddick has said, UK plc has many successful businesses operating in the field of encryption products. They are very concerned that their clients will shun their products if they suspect that the Government have secretly weakened the security that these products offer. Unless this risk is eliminated from the Bill, they may have to take their companies abroad to avoid their products being tainted by the perceived risk of government damage to the security integrity of their products.
At the end of Second Reading in this House, the Minister, the noble and learned Lord, Lord Keen, stated:
“The provisions of the Bill do not weaken encryption or threaten it. We do not seek what have sometimes been erroneously termed “back doors” into encrypted material. I would seek to dispel any such suggestion”.—[Official Report, 27/6/16; col. 1461.]
These amendments simply seek to give force to that clear assurance by deleting the reference to “removal of electronic protection” and explicitly prohibiting the use of national security notices and technical capability notices for the purpose of “removal of electronic protection”. I commend them to the Committee.
My Lords, Amendment 93 stands in my name and that of my noble friend Lord Rosser and is on the same issue of encryption. Encryption is fundamental to keeping the whole of the digital economy safe and secure. It is widely used by business, government and consumers to protect sensitive and confidential information and as a building block in the advanced security technology which has been described.
The undermining of encryption would not simply mean that the communications of criminals could be read more easily; it would risk creating a major vulnerability in the security infrastructure, which could be exploited by various malicious actors, be they criminal gangs or rogue states. So it is important for this economy and for all the financial and other businesses that depend on it that the foundations of encryption technology remain absolutely firm.
There will be times when state security undoubtedly needs access to encrypted information for a specific investigation. This is not the problem. The problem is whether the Government would ever require a company to engineer such access, enforcing the company to create a model which, if then followed by other nations with perhaps less security than ours, would lead to a lowering of standards. We welcome the statement by the Government that they do not require industry to build back doors into their encrypted products. The Bill as it stands is perhaps not as clear as the commitments the Government have made.
Clause 226 risks making encryption intrinsically weaker if a company could be asked to build the ability to break the encryption. Amendment 93 seeks to address that. We hope the Government will understand that, when the request is made, they should not ask a company to develop a new way of breaking encryption that is not already within its ability. At the moment, the clause implies that, where companies that did not have the ability to remove the protection were issued with a notice, they would be required to build that capability so as to adhere to the notice. That is worrying the companies because of the general undermining of encryption. End-to-end encryption is essential to protect sensitive personal, commercial and security information. I think the Government share our concern that we should maintain that.
The thrust of Amendment 93 makes it explicit that a company would be required to remove the electronic protection only where it had the current capacity to do so and that it should not have to engineer it. We hope it will be accepted by the Government.
Certainly, targeted equipment interference is, if you like, the next step should interception not be possible for any reason. However, I will answer the noble Lord’s first question, on end-to-end encrypted services. We start from the position that we do not think that companies should provide safe spaces to criminals to communicate. They should maintain the ability, when presented with an authorisation under UK law, to access those communications. We will work with industry to ensure that, with clear oversight and the legal framework I have in part alluded to, the police and intelligence agencies can access the content of terrorists’ and criminals’ communications when a warrant has been approved in the usual way.
We will of course consider what steps are reasonably practicable for an individual telecommunications operator, taking account of a range of factors, including technical feasibility and likely cost. We recognise that what is reasonably practicable for one telecommunications operator may not be for another, so any decision will have regard to the particular circumstances of the case. However, I cannot go into our relationships with individual companies, as the noble Lord will understand. It is important to understand that the Bill does not ban encryption or do anything to limit the use of fully encrypted services.
I thank the Minister for giving way. I think this is the first time I have heard the Government admit that the phrase “removal of electronic protection” does in fact refer to encryption.
I want to emphasise—and anybody in the cryptography industry will spell this out—that you cannot have it both ways. Either encryption is secure, or it is not; it cannot be insecure for a small group of users and secure for everybody else. Once encryption is weakened, it is weakened for everyone and once this is done at the request of the Government, it is available to all the people I listed earlier who would do us harm. I would also point out that there are a myriad of encryption products available outside the UK—ISIS has its own set, and I have seen the manual. There are any number of ways that people who want to use encryption for malign purposes can acquire it and use it in a way that UK companies cannot break.
Lastly, when I was at GCHQ, it seemed fairly relaxed about the threat of encryption because it is very confident that it can use the other means we have referred to, such as equipment interference, to get the unencrypted data it wants. But the main point, which the Government really do have to take on board, is that encryption is either strong or it is not. It cannot be partially strong—that is, strong for most and weak for the Government.
I shall of course reflect on those points, which I was already aware of. It is important to emphasise that any encryption arrangements that a communications service provider has not itself applied, or had applied on its behalf, would almost inevitably fall outside these provisions because it would not be reasonably practicable for the company to de-encrypt. Many of the biggest companies in the world rely on strong encryption to provide safe and secure communications and e-commerce, but nevertheless retain the ability to access the contents of their users’ communications for their own business purposes—and, indeed, those companies’ reputations rest on their ability to protect their users’ data. In many cases, we are not asking companies to do something that they would not do in the normal course of their business, but I note what the noble Lord has said.
Amendment 93 deals with the subject of end-to-end encryption more specifically. This matter was discussed in detail in another place, so I will reiterate what was said there to explain why this is not an appropriate amendment. I have already outlined the strict safeguards that will apply. This amendment is not necessary because the Bill makes absolutely clear that a telecommunications operator would not be obligated to remove encryption where it is not reasonably practicable for it to do so. It is important to highlight that the amendment would in many cases prevent our law enforcement and security and intelligence agencies from being able to work constructively with telecommunications operators as technology develops to ensure that they can access the content of terrorists’ and criminals’ communications. Depending on the individual company and circumstances of the case, it may be entirely sensible for the Government to work with them to determine whether it would be reasonably practicable to take steps to develop and maintain a technical capability to remove encryption that has been applied to communications or data. But the amendment would signpost to terrorists and criminals that there are communications services they can use to communicate with each other unimpeded and which the authorities will never be able to access. That cannot be right.
Amendments 108 and 109 propose changes to Clause 230, which provides for a telecommunications or postal operator to request a review by the Secretary of State of the obligations imposed on it by a technical capability notice or a national security notice. The Secretary of State must seek the views of the Technical Advisory Board—a group of experts drawn from the telecommunications operators and the intercepting agencies—and the Investigatory Powers Commissioner before deciding the review.
Amendment 109 seeks to insert the double-lock authorisation process into that review. I contend that this is unnecessary. The Government have an amendment which provides that the Secretary of State must initially consult the judicial commissioner on proportionality, and that the Secretary of State’s decision following the review must be approved by the Investigatory Powers Commissioner. As I have explained, if after consulting the commissioner and the Technical Advisory Board, the Secretary of State decides to confirm the effect of a notice or vary it, the Investigatory Powers Commissioner must approve that decision, so the amendment is not required.
Amendment 108 seeks to require the Technical Advisory Board to consider the consequences for others likely to be affected by obligations imposed by a notice. This proposal was first raised in the other place and, following discussion, considered to be unnecessary. I will briefly explain why. First, the Technical Advisory Board has a very specific role to play in advising the Secretary of State on cost and technical grounds. This role is reflected in its membership. Board members are drawn from the telecommunications industry and those persons entitled to apply for warrants and authorisations under the Bill. These experts are well placed to consider the technical requirements and the specific financial consequences of the notice. If they consider it appropriate, they may look beyond cost and technical feasibility, but those factors are rightly their focus.
The responsibility for considering the broader effect of the notice on the operator to whom it has been given sits with the judicial commissioner, and it is right that the commissioner has this role. As part of any review into the obligations set out in a notice, the commissioner must report on their proportionality. This would include an assessment of its consequences, both for the person seeking the review and for anyone else affected by it. Furthermore, the clause requires the commissioner to seek out the views of the person who has received the notice. The person will have an opportunity to raise any concerns regarding the effect of the notice with the commissioner for consideration, and the commissioner must report his or her conclusions to the person and the Secretary of State. In my view, and as concluded following discussion in the other place, the Investigatory Powers Commissioner is rightly placed to carefully assess proportionality as a whole. The amended wording would introduce unnecessary duplication and ambiguity over what the board and Investigatory Powers Commissioner are each considering.
Finally, allow me to turn to another part of the Bill. I welcome the intent of Amendment 129, which seeks to clarify the scope of the restrictions on the acquisition of internet connection records. The clarity that noble Lords intend to create with this amendment is already provided in the code of practice, and I hope I can reassure noble Lords that there are good reasons why this definition should not appear in the Bill. The Bill already contains definitions of “telecommunications service” and “communication” which make very clear that a communication can include messages between individuals, between individuals and machines, and between machines. This maintains the existing position in RIPA, and it is absolutely right that the powers and, indeed, safeguards in this Bill apply to all forms of communication.
Taken in its broadest sense an “internet communications service” is simply a telecommunications service that involves communication over the internet and it should rightly include all forms of internet communication. But in the context of internet connection records the term is used to mean services that facilitate communications between two or more individuals, like email or social networking websites. An “internet service”, by contrast, is any other communication service a person could connect to over the internet, including person to machine communications, such as a person accessing a website. This distinction is made clear in the code of practice, which is the appropriate place for it because the definition has a different meaning in other contexts in the Bill.
I hope that noble Lords will be reassured that the definition is contained in the code of practice. We are concerned that defining “internet communications service” on the face of the Bill in the way proposed could cast doubt on the scope of the Bill in so far as it applies to internet communication services more generally. For all the reasons that I have set out, I ask noble Lords not to press their amendments.
My Lords, the Minister spoke about what is possible and reasonable, but the point of our Amendment 93 is that a notice may not impose the requirement to build a facility that would break end-to-end encryption. We may need to return to this on Report, but it would perhaps be useful to have a discussion between now and then about imposing the requirement to build capacity to break end-to-end encryption.
I fear that the Minister is taking himself down a long cul-de-sac here, because the implication of what he is saying is that no one may develop end-to-end encryption. One feature of end-to-end encryption is that the provider cannot break it; encryption is private between the users at both ends. He seems to be implying that providers can use only encryption which can be broken and therefore cannot be end to end, so the next version of the Apple iPhone would in theory become illegal. I think that there is quite a lot of work to be done on this.
I was certainly not implying that the Government wished to ban end-to-end encryption; in fact, we do not seek to ban any kind of encryption. However, there will be circumstances where it is reasonably practicable for a company to build in a facility to de-encrypt the contents of communication. It is not possible to generalise in this situation. I am advised that the Apple case to which the noble Lord referred could not occur in this country in the same way.