Investigatory Powers Bill Debate

Full Debate: Read Full Debate
Department: Home Office
Tuesday 15th March 2016

(8 years, 7 months ago)

Commons Chamber
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
Andy Burnham Portrait Andy Burnham
- Hansard - - - Excerpts

I am going to make some more progress now.

As I understand it, the intention of the authorities in building internet connection records is to list domains visited, but not uniform resource locators. There would not be a web-browsing history, as the Home Secretary said. The ICRs would show the “front doors” of sites that had been visited online, but not where people went when they were inside. That will give some reassurance to people who fear something more extensive, but the definition of ICRs in clause 54 remains extremely vague and broad. I see nothing that would prevent them from becoming much more detailed and intrusive over time, as technology evolves. The draft code of practice gives an illustration of what would be included, but it does not build confidence, as it acknowledges that information may vary from provider to provider.

It would help everyone if the Government set out a much stricter definition of what can and cannot be included in ICRs, and, in particular, specified that they can include domains but not URLs. The current confusion about ICRs is unhelpful and clouds the debate about the Bill. It needs to be cleared up.

As for the use of ICRs, schedule 4 sets out far too broad a range of public bodies that will be able to access them. It seems to me that the net has been cast much too widely. Is it really necessary for the Food Standards Agency and the Gambling Commission to have powers to access an individual’s internet connection record? I will be testing the Government on that. If there were a suspicion of serious criminality in respect of the food chain or a betting syndicate, surely it would be better to refer it to the police at that point. I must say to the Home Secretary that we shall want to see a much reduced list before this part of the Bill becomes acceptable to us.

Nick Clegg Portrait Mr Nick Clegg (Sheffield, Hallam) (LD)
- Hansard - -

Does the right hon. Gentleman agree that not only are ICRs poorly and very broadly defined, but, even in the context of a narrow definition, the Government would still be proposing that every website or domain visited by every citizen in the country, every minute of every day, should be retained and stored for 12 months? Does he agree that that principle, whatever the definition, constitutes a very extensive power for the Government?

Andy Burnham Portrait Andy Burnham
- Hansard - - - Excerpts

I do agree. If such information were published, it would reveal far more about someone than an itemised phone bill. The Home Secretary began this whole process by saying that they were the same, and that this was simply the modern equivalent. It is not. It would reveal a great deal about someone.

The reassurance that I would hope to give is that it is not necessary to limit the information, but it is necessary to raise the threshold allowing the records to be accessed, in order to make this a test of serious crime rather than any crime. At present, the Bill refers to “any crime”, but I do not think it acceptable for the kind of information to which the right hon. Gentleman referred to be available in the context of lower-level offences. I hope that he may be able to support me on that point.

Our fourth area of concern relates to bulk powers. It is a fact that criminals and terrorists, operating both here and overseas, may use a variety of means to conceal their tracks and make it hard for the authorities to penetrate closed or encrypted communications networks. I accept the broad argument advanced by the authorities that power to extract information in bulk form can provide the only way of identifying those who pose a risk to the public, but the greater use of some of those bulk powers takes investigatory work into new territory. The routine gathering of large quantities of information from ordinary people presents significant privacy concerns, and points to a need for the warrants to be as targeted as possible. The operational case for the individual bulk powers was published by the Government alongside the Bill, but it is fair to say that the detail has failed to convince everyone. It is still for the Government to convince people that the powers are needed.

--- Later in debate ---
Nick Clegg Portrait Mr Nick Clegg (Sheffield, Hallam) (LD)
- Hansard - -

I associate myself with the remarks by the Home Secretary and others, and join in sending heartfelt condolences to the family and friends of the prison officer who tragically lost his life in Northern Ireland.

I shall start with the positive. Of course, my colleagues and I acknowledge that this Bill represents progress in some important respects. It is far more comprehensive than any previous piece of legislation and now covers all the powers that were previously unavowed. It contains important improvements in oversight and accountability, and compared with its predecessor, RIPA, it is easier to understand. However, as the Home Secretary, who alas has just departed, will know, she and I discussed the Bill yesterday. I am not a supporter of it, not for technical reasons but for reasons of principle, which I will come to. We feel that her Department has not responded in full to the criticisms of the three parliamentary Committees and that the Bill is, therefore, not yet in a fit state.

There are many problems, but I would like to highlight two in particular. First, as the former Attorney General, the right hon. and learned Member for Beaconsfield (Mr Grieve), said, the Intelligence and Security Committee was heavily critical of the way in which privacy protections were articulated in the draft Bill. In responding to the ISC’s request for a new part dedicated wholly to privacy, the Government have in effect done little more than change one word in a title. They have demonstrated precisely the point that the Committee made when it described the privacy protections in the Bill as an “add-on”.

I share the Committee’s concerns. The powers authorised by this Bill are formidable and capable of misuse. In the absence of a written constitution, it is only the subjective tests of necessity and proportionality that stand in the way of that misuse. The Bill should be far, far more explicit than it currently is that these powers are the exception from standing principles of privacy and must never become the norm.

The Home Office appears, unfortunately, to be institutionally insensitive to the importance that should be attached to privacy. A Department that cared about privacy would offer more than a one-word response to the ISC. A Department that cared about privacy would not have quietly shelved the privacy and civil liberties board, which this House voted to establish just last year. A Department that cared about privacy would have examined more proportionate alternatives to storing every click on every device of every citizen, instead of leaping to the most intrusive solution available.

Mark Spencer Portrait Mark Spencer
- Hansard - - - Excerpts

What would the right hon. Gentleman say about privacy when it came to a victim of child abuse who was unable to find the perpetrator because of some of the restrictions he wants to put in the Bill?

Nick Clegg Portrait Mr Clegg
- Hansard - -

As I know from my time in government, one of the greatest tools in going after precisely the perpetrators of such heinous crimes is matching the devices they use to them through IP addresses. That is why we passed legislation—the unfortunately acronymed DRIPA—which is being challenged in court by other Members of this House right now. It is also why, as I will explain in a minute, there are much more effective ways of achieving that objective than having a great dragnet, which is being advocated in the Bill.

Internet connection records, or ICRs, are my principal concern. We have been here so many times before—in 2008, 2009 and 2012. I cannot think of another proposal in Whitehall that has been so consistently championed, not, I should stress, by the police and the intelligence services, whose punctiliousness, scrupulousness and expertise I admire as much as anyone else, but by the Home Office, despite its failing to convince successive Governments. That is not the way that policy ought to be made.

The Home Secretary said that ICRs are significantly different from weblogs. The only differences that I can see are the exclusion of third-party data, welcome though that is, and the addition of some restrictions on the purposes for which the data can be accessed, although I note that some of those restrictions have now been relaxed again in clause 54 of the new Bill.

In terms of collection and retention, the scheme is the same—the name might be different, but the scheme is the same. Service providers will be required to keep records of every communication that takes place on their networks, and of potentially every click and swipe where there is an exchange of data between someone’s device and a remote server, for 12 months. It is the equivalent to someone in the days of steaming open letters keeping every front cover of every envelope from across the whole country stored in some great warehouse somewhere for 12 full months. It did not happen then, and it should not happen now.

The implication of this is very big indeed: it is that the Government believe, as a matter of principle, that every innocent act of communication online must leave a trace for future possible interrogation by the state. No other country in the world feels the need to do this, apart from Russia. Denmark tried something similar, as was referred to earlier, but abandoned it because the authorities were drowning, of course, in useless data, as they would have drowned in useless envelopes many years ago if they had tried this then. Australia considered it, but the police themselves said it was disproportionate. Many European countries, interestingly, have recently gone exactly the other way, relinquishing data retention powers following the ruling of the European Court of Justice in the so-called Digital Rights Ireland case in 2014.

At the request of David Anderson, QC, the Home Office has produced a so-called operational case for internet connection records, which we can all read. I would suggest that students of politics and government would do well to study that document, which is a model exercise in retro-fitting evidence to a predetermined policy. Naturally, it sets out how these data could be useful to the police and intelligence agencies. What it does not do, but should do, is to start from the operational need, where a lack of data is obstructing criminal investigations, and explore different options for meeting that need, while balancing the twin requirements of security and privacy.

It is simply false to claim that this dragnet approach is the only way to provide the Government with better tools to go after criminals and terrorists online. For example, as I said earlier, we could incentivise companies to move to the new industry standard for IP addresses at a much faster rate. That might sound terribly technical, but it is important, because our doing so would, at a stroke, go a long way towards solving the key problem of how to tie IP addresses on individual devices to suspects, which is one of the principal purposes of this Bill.

During my time in government, I saw very little sign that the Home Office had devoted any serious consideration to alternatives to ICRs. As the operational case illustrates, that is because this is a case not of evidence-based policy but of policy-based evidence. On top of that, we still do not know how it will actually work and how it would be defined. The Internet Services Providers Association states in its briefing for this debate:

“In its attempt to future-proof the Bill, the Home Office has opted to define many of the key areas in such a way that our members”—

these are the experts—

“still find it difficult to understand what the implications would be for them.”

The costs of ICRs are also unclear. The Government’s estimate is just over £170 million over 10 years, but the Internet Services Providers Association says that it does “not recognise” that figure, and BT has said that it believes the costs will be significantly higher.

Internet connection records are at the heart of this Bill. They are not just a technicality: they are principally at the heart of what information is stored on all of us for long periods by the Government in our name. This dragnet approach will put us completely out of step with the international community, there are practical problems with the proposal, and the terms used in the Bill are still unclear. That is why I urge Members in all parts of the House to scrutinise properly this far-reaching and poorly evidenced proposal, and to withhold parliamentary consent for such a sweeping power until the questions that I and others have raised are properly addressed.