(8 years ago)
Commons ChamberMy hon. Friend is right to raise this serious situation. I commend him and the Metropolitan police which, along with other police forces, has been working on Operation Sceptre, which includes knife sweeps. I recommend that he speaks to the head of Sutton Borough Council to see if they are interested in working with the Institute of Community Safety to undertake an area review and make sure that everything is being done to stop this dreadful crime.
The right hon. Gentleman is right to raise this issue. It is a local matter, of course, but it sounds like that important balance we tread between peaceful protest and responding to the law might have been handled in a rather tricky way in his constituency. I would always urge that peaceful protest is allowed, but I wonder sometimes whether police forces strike the right balance, as in the example he has given.
(8 years, 9 months ago)
Commons ChamberI am going to make some more progress now.
As I understand it, the intention of the authorities in building internet connection records is to list domains visited, but not uniform resource locators. There would not be a web-browsing history, as the Home Secretary said. The ICRs would show the “front doors” of sites that had been visited online, but not where people went when they were inside. That will give some reassurance to people who fear something more extensive, but the definition of ICRs in clause 54 remains extremely vague and broad. I see nothing that would prevent them from becoming much more detailed and intrusive over time, as technology evolves. The draft code of practice gives an illustration of what would be included, but it does not build confidence, as it acknowledges that information may vary from provider to provider.
It would help everyone if the Government set out a much stricter definition of what can and cannot be included in ICRs, and, in particular, specified that they can include domains but not URLs. The current confusion about ICRs is unhelpful and clouds the debate about the Bill. It needs to be cleared up.
As for the use of ICRs, schedule 4 sets out far too broad a range of public bodies that will be able to access them. It seems to me that the net has been cast much too widely. Is it really necessary for the Food Standards Agency and the Gambling Commission to have powers to access an individual’s internet connection record? I will be testing the Government on that. If there were a suspicion of serious criminality in respect of the food chain or a betting syndicate, surely it would be better to refer it to the police at that point. I must say to the Home Secretary that we shall want to see a much reduced list before this part of the Bill becomes acceptable to us.
Does the right hon. Gentleman agree that not only are ICRs poorly and very broadly defined, but, even in the context of a narrow definition, the Government would still be proposing that every website or domain visited by every citizen in the country, every minute of every day, should be retained and stored for 12 months? Does he agree that that principle, whatever the definition, constitutes a very extensive power for the Government?
I do agree. If such information were published, it would reveal far more about someone than an itemised phone bill. The Home Secretary began this whole process by saying that they were the same, and that this was simply the modern equivalent. It is not. It would reveal a great deal about someone.
The reassurance that I would hope to give is that it is not necessary to limit the information, but it is necessary to raise the threshold allowing the records to be accessed, in order to make this a test of serious crime rather than any crime. At present, the Bill refers to “any crime”, but I do not think it acceptable for the kind of information to which the right hon. Gentleman referred to be available in the context of lower-level offences. I hope that he may be able to support me on that point.
Our fourth area of concern relates to bulk powers. It is a fact that criminals and terrorists, operating both here and overseas, may use a variety of means to conceal their tracks and make it hard for the authorities to penetrate closed or encrypted communications networks. I accept the broad argument advanced by the authorities that power to extract information in bulk form can provide the only way of identifying those who pose a risk to the public, but the greater use of some of those bulk powers takes investigatory work into new territory. The routine gathering of large quantities of information from ordinary people presents significant privacy concerns, and points to a need for the warrants to be as targeted as possible. The operational case for the individual bulk powers was published by the Government alongside the Bill, but it is fair to say that the detail has failed to convince everyone. It is still for the Government to convince people that the powers are needed.
I associate myself with the remarks by the Home Secretary and others, and join in sending heartfelt condolences to the family and friends of the prison officer who tragically lost his life in Northern Ireland.
I shall start with the positive. Of course, my colleagues and I acknowledge that this Bill represents progress in some important respects. It is far more comprehensive than any previous piece of legislation and now covers all the powers that were previously unavowed. It contains important improvements in oversight and accountability, and compared with its predecessor, RIPA, it is easier to understand. However, as the Home Secretary, who alas has just departed, will know, she and I discussed the Bill yesterday. I am not a supporter of it, not for technical reasons but for reasons of principle, which I will come to. We feel that her Department has not responded in full to the criticisms of the three parliamentary Committees and that the Bill is, therefore, not yet in a fit state.
There are many problems, but I would like to highlight two in particular. First, as the former Attorney General, the right hon. and learned Member for Beaconsfield (Mr Grieve), said, the Intelligence and Security Committee was heavily critical of the way in which privacy protections were articulated in the draft Bill. In responding to the ISC’s request for a new part dedicated wholly to privacy, the Government have in effect done little more than change one word in a title. They have demonstrated precisely the point that the Committee made when it described the privacy protections in the Bill as an “add-on”.
I share the Committee’s concerns. The powers authorised by this Bill are formidable and capable of misuse. In the absence of a written constitution, it is only the subjective tests of necessity and proportionality that stand in the way of that misuse. The Bill should be far, far more explicit than it currently is that these powers are the exception from standing principles of privacy and must never become the norm.
The Home Office appears, unfortunately, to be institutionally insensitive to the importance that should be attached to privacy. A Department that cared about privacy would offer more than a one-word response to the ISC. A Department that cared about privacy would not have quietly shelved the privacy and civil liberties board, which this House voted to establish just last year. A Department that cared about privacy would have examined more proportionate alternatives to storing every click on every device of every citizen, instead of leaping to the most intrusive solution available.
What would the right hon. Gentleman say about privacy when it came to a victim of child abuse who was unable to find the perpetrator because of some of the restrictions he wants to put in the Bill?
As I know from my time in government, one of the greatest tools in going after precisely the perpetrators of such heinous crimes is matching the devices they use to them through IP addresses. That is why we passed legislation—the unfortunately acronymed DRIPA—which is being challenged in court by other Members of this House right now. It is also why, as I will explain in a minute, there are much more effective ways of achieving that objective than having a great dragnet, which is being advocated in the Bill.
Internet connection records, or ICRs, are my principal concern. We have been here so many times before—in 2008, 2009 and 2012. I cannot think of another proposal in Whitehall that has been so consistently championed, not, I should stress, by the police and the intelligence services, whose punctiliousness, scrupulousness and expertise I admire as much as anyone else, but by the Home Office, despite its failing to convince successive Governments. That is not the way that policy ought to be made.
The Home Secretary said that ICRs are significantly different from weblogs. The only differences that I can see are the exclusion of third-party data, welcome though that is, and the addition of some restrictions on the purposes for which the data can be accessed, although I note that some of those restrictions have now been relaxed again in clause 54 of the new Bill.
In terms of collection and retention, the scheme is the same—the name might be different, but the scheme is the same. Service providers will be required to keep records of every communication that takes place on their networks, and of potentially every click and swipe where there is an exchange of data between someone’s device and a remote server, for 12 months. It is the equivalent to someone in the days of steaming open letters keeping every front cover of every envelope from across the whole country stored in some great warehouse somewhere for 12 full months. It did not happen then, and it should not happen now.
The implication of this is very big indeed: it is that the Government believe, as a matter of principle, that every innocent act of communication online must leave a trace for future possible interrogation by the state. No other country in the world feels the need to do this, apart from Russia. Denmark tried something similar, as was referred to earlier, but abandoned it because the authorities were drowning, of course, in useless data, as they would have drowned in useless envelopes many years ago if they had tried this then. Australia considered it, but the police themselves said it was disproportionate. Many European countries, interestingly, have recently gone exactly the other way, relinquishing data retention powers following the ruling of the European Court of Justice in the so-called Digital Rights Ireland case in 2014.
At the request of David Anderson, QC, the Home Office has produced a so-called operational case for internet connection records, which we can all read. I would suggest that students of politics and government would do well to study that document, which is a model exercise in retro-fitting evidence to a predetermined policy. Naturally, it sets out how these data could be useful to the police and intelligence agencies. What it does not do, but should do, is to start from the operational need, where a lack of data is obstructing criminal investigations, and explore different options for meeting that need, while balancing the twin requirements of security and privacy.
It is simply false to claim that this dragnet approach is the only way to provide the Government with better tools to go after criminals and terrorists online. For example, as I said earlier, we could incentivise companies to move to the new industry standard for IP addresses at a much faster rate. That might sound terribly technical, but it is important, because our doing so would, at a stroke, go a long way towards solving the key problem of how to tie IP addresses on individual devices to suspects, which is one of the principal purposes of this Bill.
During my time in government, I saw very little sign that the Home Office had devoted any serious consideration to alternatives to ICRs. As the operational case illustrates, that is because this is a case not of evidence-based policy but of policy-based evidence. On top of that, we still do not know how it will actually work and how it would be defined. The Internet Services Providers Association states in its briefing for this debate:
“In its attempt to future-proof the Bill, the Home Office has opted to define many of the key areas in such a way that our members”—
these are the experts—
“still find it difficult to understand what the implications would be for them.”
The costs of ICRs are also unclear. The Government’s estimate is just over £170 million over 10 years, but the Internet Services Providers Association says that it does “not recognise” that figure, and BT has said that it believes the costs will be significantly higher.
Internet connection records are at the heart of this Bill. They are not just a technicality: they are principally at the heart of what information is stored on all of us for long periods by the Government in our name. This dragnet approach will put us completely out of step with the international community, there are practical problems with the proposal, and the terms used in the Bill are still unclear. That is why I urge Members in all parts of the House to scrutinise properly this far-reaching and poorly evidenced proposal, and to withhold parliamentary consent for such a sweeping power until the questions that I and others have raised are properly addressed.
(9 years, 1 month ago)
Commons ChamberIn relation to the warrantry that will be subject to the double lock and the process of interception, where the process currently requires a warrant signed just by the Secretary of State, it will in future have the double lock. Additional processes will be introduced in relation to some of the bulk capabilities to which I referred. Obviously, we have to appoint the investigatory powers commissioner. There will then be a process to determine who should be under the commissioner and the areas of expertise they should have. I have said to the Justice Secretary in Scotland and the Minister of Justice in Northern Ireland that we would expect to ensure that Scottish and Northern Ireland expertise is available to the commissioner.
I thank the Home Secretary for her statement. Her last Bill on this fraught but important subject hit the buffers. The current Bill is a much-improved model, although I have the feeling that, under the bonnet, it retains some of the flaws of its predecessor. The Home Office has clearly put in a lot of work, which I welcome, as I do the dropping of some of the key provisions on third-party data and encryption. I am a little confused by the advance briefings on the Bill: some suggest that it is a radical departure from its predecessor, and others suggest that much of it is the same. It cannot be both, and the devil will be in the detail.
On judicial authorisation, the Home Secretary has set out a somewhat complex double-lock compromise that may incur stop-start delays. I heard what she said earlier, but I wonder whether it would not be simpler and faster to provide for direct judicial authorisation. I should like to understand from her why she has not decided to do that.
On web browsing, I strongly welcome what looks at first like a significantly more proportionate and targeted approach, but will the Home Secretary explain why it is still necessary to hold such large amounts of data retrospectively for a considerable period of time?
Finally, will the Home Secretary tell the House why she has not acted on the commitment she made in the last Parliament to establish a proper US-style privacy and civil liberties board to provide reasoned scrutiny on such Bills in future?
The right hon. Gentleman says that there was some confused briefing. Different reports appeared in newspapers, but that is not necessarily the result of briefing. The situation on the Bill is what I have set out today in my statement—[Interruption.] The hon. Member for West Ham (Lyn Brown) says that I went on TV. I said on TV exactly what I am about to say to the House in relation to the difference between the Bill and the draft Communications Data Bill, which is that some of the more contentious elements are not in the current Bill. For example, the requirement for UK communications service providers to retain and access third-party data from overseas providers is not in the Bill, nor is the web browsing provision, to which the right hon. Gentleman referred, and nor is the provision that would have placed on US and overseas providers the same data retention requirements and obligations that apply to UK service providers.
On judicial authorisation, the double lock provides both judicial independence, but also, crucially, public accountability. That is what we get through membership of the House.
The right hon. Gentleman mentioned retrospective data. I put to him the case of the abducted child. We want to see who that child or young person was in contact with before they were abducted. We can do that through telephone records, but we cannot do it if they were using a social media app. That is what the intercept communications records enable us to do.
(9 years, 5 months ago)
Commons ChamberI speak as someone who, as the Home Secretary knows, had a hand in the commissioning of this excellent report. The right hon. Lady will remember with fond, misty-eyed nostalgia the debates that she and I had on this complex, fraught and all-important area of public policy. One of the consequences of those debates and disagreements was that a number of reports were commissioned, including David Anderson’s. We look forward, as the Home Secretary said, to the publication of the report by RUSI. I strongly endorse her compliments to David Anderson and to the authors of the other reports, and I join in all that has been said in complimenting the professionalism and integrity of the work of the agencies—professionalism and integrity that I found on display daily in my work with them in government. As I will explain, my quibbles were invariably with proposals emanating from the Home Office about what new power should make its way on to the statute book, rather than with the day-to-day conduct of our highly effective intelligence agencies.
On the back of this excellent report from David Anderson, we have an unusual opportunity to try to reset the balance between privacy and liberty on the one hand, and safety and security on the other, in a digital age. As the Home Secretary rightly pointed out, all too often this debate is falsely caricatured, as if people who worry about security do not worry about liberty, and people who worry about liberty do not worry about security. In this area, as in so many other walks of life, it is necessary to strike the right balance. To somewhat misquote Benjamin Franklin, if we give up our liberty to gain a little security, we will deserve neither and lose both. As the shadow Home Secretary said, we should be striving to strengthen both liberty and security in tandem.
I am certainly no slouch when it comes to introducing new surveillance powers on to the statute book when it is demonstrably the case that doing so makes us safer and is necessary in order to keep up with new technologies. That is one of the reasons, as the Home Secretary is aware, why I always advocated legislating, as we have done, to enable enforcement agencies to match IP addresses to handheld devices, and why we legislated in the Data Retention and Investigatory Powers Act 2014—the acronym is DRIPA, unfortunately—to improve data-sharing between UK and US enforcement agencies. However, I have always drawn the line—I did in government and I do now—at proposals that I feel are either not based on proper evidence or not adequately proportionate and transparent. It is in that light that I would like to turn to a few of the points made by David Anderson.
I will not dwell on the points that have already been made about introducing a judicial role in the issuing of warrants, but I want to underline the shadow Home Secretary’s point that David Anderson made his case on the basis not just of principle, by pointing out that our practice is significantly out of line with how warrants are issued in other analogous jurisdictions, but of his observation—this was surprising, at least to me—that there might be operational value in introducing a judicial element in the issuing of warrants, as it would enable us more readily to secure data from American communications service providers, which are used to that kind of system.
I want to dwell on David Anderson’s comments on the draft Communications Data Bill—the so-called snoopers charter. David Anderson is scathing in his report about the proposals in the Bill to force UK network providers to collect and store third-party data relating to services operated by companies based overseas. He says quite unambiguously that,
“there should be no question of progressing this element of the old draft Bill until such time as a compelling operational case has been made”.
It is worth reflecting on that for a moment. I was told categorically and repeatedly in government that that was absolutely necessary for the safety of the public; that public safety would be in jeopardy if I did not endorse it. David Anderson has now found that no operational case has been made for that. Echoing an earlier question to the Home Secretary, I seek clarity from the Government on whether the forthcoming Bill will contain third-party data provisions, which David Anderson has said it should not.
In the light of that, I think that we should treat other proposals that do not have a clear evidence base or rationale—most importantly, the Home Office’s proposal to require CSPs to store so-called weblogs—with an equal amount of healthy and considered scepticism.
I thank my right hon. Friend for that intervention, which I will come to in a moment, because David Anderson has made some specific recommendations on how we compare with other jurisdictions.
David Anderson has managed to do something that I certainly did not manage to do in government: to get the Home Office to define the somewhat nebulous term of weblogs. Weblogs, according to his report, are
“a record of the interaction that a user of the internet has with other computers connected to the internet.”
The House should take a long, hard look at that definition. It encompasses just about everything someone is likely to do on an internet-connected device—every step they take, every app they open, every edit they make to an online document—and that would be stored for the entire population for 12 months. David Anderson says that, remarkably, at no point was he presented with a “detailed or unified case” for such sweeping powers.
David Anderson also makes it clear—this relates to the point my right hon. Friend the Member for Carshalton and Wallington (Tom Brake) has just raised—that we would be seriously out of step with the rest of the world. He states:
“I am not aware of other European or Commonwealth countries in which service providers are compelled to retain their customers’ web logs for inspection by law enforcement. I was told by law enforcement both in Canada and in the US that there would be constitutional difficulties in such a proposal.”
The House will also be interested to know that the new Australian data retention law specifically excludes the collection of weblogs precisely because the Australian police told their Government that it would be a disproportionate invasion of privacy.
It is entirely reasonable for law enforcement to want to identify how a known suspect is communicating online, but that is a completely different proposition from the one that the Home Office has now been putting forward in one form or another for eight years. David Anderson sets out a strict process, including using existing powers better but less intrusively than planned by the Home Office, and the presentation of a proper operational case before any detailed proposal is put forward by the Government. I am obviously keen to know from the Government whether that reasonable approach that he advocates will indeed now be pursued.
Finally, I welcome the Home Secretary’s announcement today that the Bill will be published for pre-legislative scrutiny, which will allow further debate on its undoubtedly complex and important provisions. The Bill must be as comprehensive as possible. Both the Intelligence and Security Committee and David Anderson have argued that it should incorporate all the powers that exist in different statutes at present. In that spirit, I hope that the Government will undertake to avow all undeclared surveillance capabilities and major programmes as part of that process.
I have come to the view that the Government’s standard blanket position of “neither confirm nor deny” is simply no longer tenable. Recent disclosures mean that the public are able to read detailed accounts of alleged surveillance capabilities, but Government Ministers are unable to explain or defend the need for them in this House or in public. I believe that undermines public trust, feeding a suspicion that there are parts of the system that somehow operate beyond proper scrutiny and transparency. Although we cannot and should not reveal details of operations and specific investigatory techniques, will the Home Secretary ensure that large- scale programmes, such as those referred to in recent revelations, are properly avowed at some point in the near future?
In conclusion, it seems to me that, as has already been said, and as the Home Secretary herself has suggested, we have a big opportunity. The deadline of December 2016 is approaching, when the current data retention powers will fall. Decisions must be taken—they simply cannot be ducked any longer—and they must be taken as consensually as possible, and on the basis of clear principles of necessity, transparency and proportionality. Surveillance powers are a necessary part of a liberal society, as we must have the ability to prevent criminals from curtailing the liberty of others to live their lives free from crime, but those powers must be based on evidence that they are both necessary and proportionate to the threat we face. I suggest that this House should not entertain proposals for significant, intrusive new laws based on assertion and rhetoric alone.