Only a few days to go: We’re raising £25,000 to keep TheyWorkForYou running and make sure people across the UK can hold their elected representatives to account.Donate to our crowdfunder
In moving the amendment, I should also like to speak to Amendment No. 141A.
I confess that some of the steam has been taken out of my concerns as a result of our debate on Amendment No. 139A. Part of my motive was to seek the promotion of plain text ahead of key disclosure. However, a tangential issue remains, concerning the structure of the clause. I cannot help feeling that in the context of subparagraphs (a), (b) and (c) subparagraph (d) is incongruous. Hence my formulation of including it in the preface to subsection (2). I should be grateful for an explanation from the Minister as to why, in so far as it remains relevant, subsection (2) is structured in the way that it is. I beg to move.
The change in the amendment and the consequential change proposed by Amendment No. 141A are covered by government Amendment No. 141B, which we have already discussed. The amended subsection (d) reads:
"it is not reasonably practicable for the person with the appropriate permission to obtain possession of the protected information in an intelligible form without the giving of a notice under this section".
I hope that that amendment reassures the noble Lord. It should; that is certainly our intention.
If we wait long enough we may have the presence of the noble Lord, Lord McNally. I should be very interested to hear him, particularly on Amendments Nos. 157 and 158, where we enter the area of the non-disclosure of key signatures. Where one has used, as some programs will use, one's signature to encrypt something, one's signature is liable to be seized. If that is so, I am not clear how, under the Electronic Communications Bill, the authorisations and signatures that one has made using that signature are affected. Their security is no longer perfect and the possibility that they have been forged becomes real. I am concerned about the way in which the two Bills will work together--the ability to seize someone's signature and the uses to which it will now be put under the Electronic Communications Bill. I do not know how that will all hang together.
Amendments Nos. 157 and 158 address the issue in a slightly different way and add another level of protection. As the Bill is drafted, if one has used a password to hide one's signature one may be forced to reveal it. However, I believe that under Amendment No. 157 a person would be spared that requirement. I should not like to miss the noble Lord's comments on those amendments.
Our amendments were tabled to close a loophole as far as concerns the use of electronic signatures. Because I entered the Chamber half-way through the debate I am not sure what the weakness in our amendments is supposed to be. The intention is to achieve recognition of the electronic signature and protection thereof. I say no more.
It is rather difficult to respond to amendments that have not been spoken to. I am content to run through all the amendments in the group, if that is what the Committee desires. Very little reference has been made to the entirety of the grouping. Most of the points made relate to Amendments Nos. 157 and 158. If it assists the Committee, I shall respond only to those amendments which I believe the noble Lord, Lord McNally, and others regard as the most important in the group.
We fully recognise the importance of maintaining the integrity and security of electronic signatures. In that sense we understand why these two amendments have found their way into the group. For the record, I stress the policy position. There is no law enforcement requirement relating to keys that are used solely for the purposes of electronic signature. We believe that there are misplaced worries about signature keys being obtained and then used to impersonate their owners. Clearly, that would not be in the interests of law enforcement, since possibly it would have the wider effect of undermining the validity of such devices and potential prosecutions. The whole point about electronic signatures is to ensure the integrity and authenticity of data.
As I understand it, it is possible for signature keys also to be used for the purposes of confidentiality; in other words, to protect or encrypt the content of data or messages. This is of interest to us. The ability of criminals to encrypt the content of their data is the precise threat that we address in Part III. We believe that where keys have been used for both purposes it is reasonable to have power to require their disclosure. The Committee recognises that in the first limb of Amendment No. 157. The question is whether the second limb--sub-paragraph (b)--and Amendment No. 158 add extra safeguards. Frankly, we do not believe that they do. The protection of electronic signature keys is already there. By virtue of Clause 46(6), if keys have not been used for any other purpose they cannot be required to be disclosed: the Bill prohibits such access. But we believe that if keys have been used for the purposes of confidentiality it is right that they may be required to be disclosed.
In all this it is important to have in mind that we envisage that the times when keys themselves will be required to be disclosed will be limited. The choice of which key to disclose, if there is more than one which can decrypt the relevant information, is very much left to the recipient of the notice.
Amendment No. 158 seeks to address the possibility that keys which may once have been used for the purposes of confidentiality, but have not been so used for some time, may be required to be disclosed because of some recent malicious behaviour by a party who is not the keyholder. We are aware that such a scenario has been painted, but we believe that those fears are overstated. The fact remains that the Bill needs to cover keys which have been used for the purpose of confidentiality and signature. We believe that there are appropriate tests and restrictions that govern access to keys and that Clause 46(6) provides necessary, proper and adequate safeguards for signature keys.
Clearly, confidentiality and integrity are key factors--no pun intended. We understand the spirit in which these amendments and the others in the group are tabled. I trust that, following my comments on Amendments Nos. 157 and 158, the noble Earl will feel able to withdraw his amendment.
This is a key point. I flipped through some papers that I received from Japan where people have gone to great lengths to guarantee and protect signature keys. They regard that as a key part of public confidence in commerce in this area. I thank the Minister for his reassurances on this matter.
moved Amendment No. 141B:
Page 50, line 17, leave out from ("that") to ("without") in line 18 and insert ("it is not reasonably practicable for the person with the appropriate permission to obtain possession of the protected information in an intelligible form").
On Question, amendment agreed to.
[Amendments Nos. 142 to 144 not moved.]
Amendment No. 151A is grouped with this amendment. I trust that the Committee will think it convenient if I speak to it.
I return to an argument I advanced in debate on the first amendment we considered on the previous Committee day. It is ludicrous that Clause 46 notices,
"may take such form and be given in such manner as the person giving it thinks fit".
I believe that that affords carte blanche to the subjective opinion of anyone with the appropriate permission under Schedule 1 to compile their own versions of Clause 46 notices.
My amendment seeks to address the need for objectivity rather than subjectivity. The provision has the potential of imbuing the regime with uncertainty and an unwelcome lack of clarity. I might have preferred the noble Lord, Lord McNally, to have spoken to his Amendment No. 151, which I believe seeks to deal with the problem from a different perspective. None the less, I look forward to the Minister's reply.
I shall deal with the entire grouping, if I may. There are a number of amendments in this group relating to the nature of notices served under Clause 46. Some of the government amendments which we have already discussed have an impact on these amendments. I should like, first, to set out the rationale behind the amendments in this group.
Government Amendment No. 149XA should be welcomed. The amendment is tabled expressly as a result of representations from industry. Many in industry have been concerned that, notwithstanding the constraint on service of notices, some "spoof" notices purporting to be under the Bill could be served on companies and, in this way, security of companies could be compromised. No one wants that. We are anxious to minimise the possibility of any such spoof notices. We believe that the requirement in Amendment No. 149XA--that the office, rank or position of the person who granted permission for the giving of a notice under Schedule 1 be on the face of the notice--will add extra reassurance to those who received notices that those notices are genuine.
Amendments Nos. 149YA and 150ZA relate to the information that is to be on a notice served under Clause 46. These changes are consequential on the earlier restructuring of the balance between keys and plain text.
Amendments Nos. 150B and 158A are also consequential on the requirement, covered in the new clause tabled by the Government, that notices should be served on directors of companies or equivalent. As such, I hope that these, along with the other government amendments, will be welcomed by the Committee.
There are some outstanding issues from this group which I should address. Amendment No. 145 seeks to clarify that decryption notices can be given only in writing or by electronic means. I can see what the noble Lord is driving at. But I believe that the amendment is unnecessary. Our position on the form of decryption notices is this. They will be in written form. In time, we anticipate that, where necessary and applicable, they should be capable of being served electronically. I think that that is what the noble Lord seeks. But that is already catered for by the words in Clause 46(4)(a),
"or (if not in writing) must be given in a manner that produces a record of its having been given".
In another place, we amended Clause 46(4) to put on the face of the Bill further stipulations about the form a decryption notice should take. We have continued that process today. This is in response to industry concerns about the possibility of receiving spoof notices. There is no intention that notices should be given verbally with no written back up. As the Government said in another place, there is clearly a need for consistency regarding notices, for the sake of those authorising and serving notices and for the sake of those receiving them, be it individuals or business.
There should be an agreed format to notices. How that looks in practice is properly to be the subject of consultation with industry, of course, and others. The Government want to get this right in order to achieve clarity and best practice. It will be taken forward in the public consultation on the code of practice for Part III, which will suggest an example of the notice.
Amendment No. 146, tabled by the noble Lord, Lord McNally, seeks to ensure that there should also be a record of the notice having been received. I do not argue with the intent of that amendment. I question whether it is necessary. If notices are not received, then nobody is under any duty to comply with them. If there were to be a prosecution for non-compliance, the prosecution would have to prove that the notice was duly served. Therefore, it is in the interests of law enforcement to be able to show that the notice was indeed received. For these reasons the Government believe that what the Bill currently stipulates is as much as is necessary.
At least part of Amendment No. 146A is dealt with by the new clause tabled earlier by the Government requiring notices to be served on a director or equivalent within a company. As regards the other part of that amendment, that the notice should specify the person to whom the notice is given, it is believed that that would be good practice in accordance with the code of practice which will be issued for that part of the Bill.
The Government believe that the important requirements are already covered by subsection (4) of the clause as the Government propose it should be amended. It is not believed that the addition suggested in Amendment No. 146A will add to the verification process.
Amendment No. 148 seeks to ensure that the notice specifies which of the purposes listed in Clause 46(3) is applicable. That is certainly how the Government intend notices to be framed. That will be clarified in the code of practice.
It is believed that the intent of Amendment No. 149 is met by government Amendment No. 149XA, and, for that reason, the noble Lord is requested to withdraw Amendment No. 149.
The Government do have some sympathy with the intention behind Amendment No. 151. It is the intention of the Government that notices should be served in line with the guidance in the code of practice. There may, however, be some circumstances in which it is not possible, or not possible precisely to follow what is set out in the code. The Government undertake to consider the matter further to explore whether there is any extra reassurance that can be offered on the face of the Bill.
Amendment No. 155 seeks to ensure that where material is disclosed to an individual who is not the person giving the notice, that person should be in the same category of person as the person giving the notice. It is believed that that will remove a degree of flexibility which will be important.
Take for example the Technical Assistance Centre: where keys are to be demanded, it may be that secure transmission conditions require that the key be disclosed direct to the Technical Assistance Centre rather than the person giving the notice. Staff at the Technical Assistance Centre will be selected for their technical proficiency and their security classification rather than for the rank which they hold in a particular organisation. It is believed that the stricture required by Amendment No. 155 may limit the flexibility required in terms of secure transmission to the TAC, and for that reason it is resisted. It is to be hoped that it can be agreed that the primary objective here in the rare cases where keys are demanded is that there will be transmission. That is the objective.
I have outlined the reasons behind the Government's amendments in this group. I have also outlined why the Government do not feel able to accept the amendments of the noble Lords opposite. In one case, the offer has been made to consider the matter further. In other cases, the intent of the noble Lords' amendments is, I believe, already met by those tabled by the Government.
In the light of those considerations, it is to be hoped that noble Lords will feel able to withdraw their objections. I commend the Government's amendments to the Committee and resist those tabled by Members opposite.
There were a large number of reassurances in the Minister's reply. As I said, the intention of these amendments was to try to tighten up and clarify these procedures. Some of the amendments have indeed been overtaken by the Government's own amendments.
Regarding the amendments tabled by the noble Earl, Lord Northesk, they look similar and are probably better than ours. I beg to leave to withdraw the amendment.
moved Amendments Nos. 149XA and 149YA:
Page 50, line 33, at end insert--
("( ) must specify the office, rank or position of the person who for the purposes of Schedule 1 granted permission for the giving of the notice or (if the person giving the notice was entitled to give it without another person's permission) must set out the circumstances in which that entitlement arose;").
Page 50, line 34, leave out paragraph (e).
On Question, amendments agreed to.
I shall not press the amendment. If the Minister wants to comment on it, that is up to him. Neither shall I speak to Amendment No. 162A in the group; we have covered that subject. The amendment merely suggests another way in which, in the tiny number of cases in which the key will be demanded, we can obtain high-level authorisation. If it cannot be obtained from a judge, it should come from the interception of communications commissioner.
I shall speak to Amendment No. 176ZA with Amendment No. 171 because the two go together. If the Minister wants to comment on them now, I shall listen to him with great interest. I beg to move.
My Amendment No. 178 refers to the secrecy of a key once it has been obtained. It is most important that all concerned should be reassured about that. If the Minister can point to a provision in the Bill which places a duty on the authorities concerned to maintain the secrecy, I shall not press my amendment. However, it is important that the provision is written into the Bill somewhere.
Amendment No. 179 is almost identical to Amendment No. 178. I say merely that the representations I have received indicate a real concern about the security of the key once it enters the government machine, partly because it undermines international confidence. Part of the problem with the Bill relates to differences of perception. The men or women in Whitehall are confident that their remarks and assurances will satisfy any reasonable person who knows how Whitehall or public bodies work, but it is not reassuring to those who are dealing with international companies or trying to maintain business confidence. These are important issues and, like the noble Lord, Lord Cope, I look for guidance and assurance from the Minister.
I shall deal with all the amendments in the group, from Amendment No. 176ZA onwards. That amendment covers ground to which we will come when we discuss the amendments relating to the tipping-off offence. I believe that the concern is that some legitimate action will be caught by the tipping-off offence. When we come to the group of amendments, I shall explain why, for example, revocation of keys--a device for ensuring the confidentiality of systems--does not fall foul of the offence. Similarly, Clause 51 does not prevent or penalise other legitimate action taken to preserve confidentiality.
Amendment No. 149ZA is most perceptive. I believe that the noble Lord is seeking to be helpful with his proposal. We had thought about including such a provision in the Bill, but, in the event, we decided against it. We believe that there would need to be some kind of additional test for forbidding such action, perhaps including "reasonable" and "proportionate", as well as "exceptional". Again, it is a question of the delicate balancing exercise which we hope we have constructed properly.
In some instances we are simultaneously criticised for being too draconian in the Bill and for not giving law enforcement officers sufficient powers. It is difficult to get the balance right. Certainly it is difficult to satisfy both ends of the argument. Therefore, we decided not to proceed with a provision along the lines of that set out in the noble Lord's amendment. However, we hint at it in Clause 50(4)(b) as part of the defence where particular software is designed to disclose the fact that a key has been revealed. However, I am grateful to the noble Lord for having raised that particular point.
From my understanding, Amendment No. 162A tries to add an extra safeguard in cases where keys may be required under a disclosure notice. However, the interception commissioner will not necessarily be the appropriate oversight point for all cases where a key may be demanded. We believe that that nullifies the intended effect of the amendment.
I turn to Amendments Nos. 178 and 179. I appreciate the spirit behind these amendments. In particular, I take the point made by the noble Lord, Lord McNally, about international confidence. He is right. It has much to do with perceptions. Perhaps we have embarked upon this erroneously, but I believe that all Members of the Committee can be helpful in trying to add that reassurance to the Bill. That is why I particularly welcome the spirit behind the amendments.
As Members of the Committee will be aware, we resisted a similar amendment in another place. However, as with the other issues connected with Part III, we recognise fully that the question of secure handling of keys is of critical importance. I am happy to set out our position again.
First, it is worth stressing that we understand the need to store securely all sensitive material obtained under the Bill. As regards keys obtained lawfully under Part III, Clause 51 already sets out strong safeguards which govern the retention, copying, destruction and treatment generally of material otherwise obtained under the new powers. I believe that the safeguards are described in very practical terms.
We are not convinced that the addition of the word "safely" is at all necessary. As I said, we set out in practical terms the safeguards provisions which must be in place; for example, with regard to limiting the extent of disclosure. Similar considerations apply to the sensitive material obtained under interception warrants. It is the case now that material obtained lawfully under existing interception powers is held very securely. The reasons for that are plain to see. However, as with the case for Part III, the relevant safeguards provisions which cover interception in Clause 14 of Part I do not contain a specific requirement for material to be held safely. I believe that that point was debated earlier in Committee.
The safeguards arrangements in Clause 51 will be overseen by independent commissioners who will have a statutory responsibility to examine the adequacy and veracity of the arrangements and to report on inadequacies to the Prime Minister directly. However, that said, industry and the public at large will undoubtedly wish to be reassured that, over and above what appears on the face of the Bill, the Government are taking very seriously the issue of protecting keys. As I said, we believe that to be of fundamental importance.
Deploying the highest level of protection for keys and other sensitive information relating to key holders is a specific objective of the technical project to establish the dedicated resource--the Technical Assistance Centre--which we are putting in place to assist law enforcement in relation to encryption.
As Members of the Committee will have seen, the Chancellor of the Exchequer has made available to the Home Office £25 million of modernisation capital to establish that facility. Work is in progress. Security is paramount, including the security of data and keys being transported to the centre, whether physically or electronically. The commissioners will have access to the facility. It is essential to provide reassurance that it is properly executing functions derived from the legislation.
Clause 51 already sets out strong safeguards governing the handling of keys. We take the issue seriously. Questions of technical, physical security are being taken forward by the project to establish the TAC. I hope that, with that fairly lengthy explanation, for which I apologise, the noble Lord will feel able to withdraw the amendment.
With your Lordships' leave, I shall speak also to Amendment No. 150A.
I concede that my choice of 40 days is arbitrary. I am not wedded to it. Indeed, dare I say it, I am more comfortable with the Liberal Democrat amendments.
The fundamental point on subsection (4)(f) is that the timetable for compliance should be reasonable. At least to that extent, these are probing amendments. I should be grateful to hear the Minister's views on the appropriate timescale. The underlying principle--that a Section 46 notice should have a reasonable timetable for compliance--is a sound one. I beg to move.
The noble Earl, Lord Northesk, has caught the spirit of our amendments. There should be a time limit. Notices should not be left open-ended. We want the provisions to work, but they should not be left hanging over companies or individuals. We want to probe the Minister on that and I shall be interested to hear his response.
I shall deal with the entire group. The amendments all cover the duration of Section 46 notices. Some people are concerned that they will last for ever, which might place unreasonable requirements on bodies, commercial organisations or individuals. I assure noble Lords that notices will not last for an eternity and I welcome this opportunity to explain our thinking behind the current wording.
Amendments Nos. 149A, 150A and 152 would all limit the duration of notices--each in a slightly different way. The noble Earl, Lord Northesk, said that he was not wedded to 40 days. I thought that it was a Biblical reference--40 days and 40 nights--and I am impressed that he used it.
The fears about the duration of notices are misplaced. I shall try to offer some reassurance. It would not be right for a Section 46 notice to last beyond the period for which the seeking of information could be justified as necessary. There are a series of measures in the Bill to achieve that.
Clause 46(2) states that a person may serve a notice only if he believes that its imposition is necessary or likely to be of value and it must be proportionate to what he is trying to achieve. So, clearly, a notice with a long duration would be entirely inappropriate in minor cases.
Secondly, Clause 46(4)(f), as currently drafted, requires that the notice should specify the time by which the disclosure is to be made. Again, a notice which required disclosures to be made ad infinitum would be hard to justify on any ground, proportionality included.
Thirdly, it is important to remember that the decryption power in Part III of this Bill is merely ancillary to existing powers. Clause 51(2)(a) requires that a key disclosed in pursuance of a notice is only used to access information in relation to which power to give such a notice was exercised, or could have been exercised if the key had not already been disclosed. In other words, the duration of notices will in general be tied explicitly to the duration of the underlying statutory power. So, for example, where an interception warrant is authorised for three months, the ancillary Clause 46 notice will expire shortly after the date when the warrant expires, or be renewed along with it. Search warrants under the Police and Criminal Evidence Act 1984 usually expire after 28 days. Again, a relevant Clause 46 notice would expire shortly afterwards.
Fourthly, the code of practice for Part III will set out in considerable detail appropriate duration periods for different types of notice. As we have said many times, we shall consult on the code, which is of course subject to the affirmative resolution procedure.
To sum up, there are already measures in the Bill to ensure that notices may not last for ever, as some have mistakenly believed.
I turn now to Amendment No. 153. Similar concerns about the duration of notices lie behind this amendment. But what is proposed in this amendment is unnecessary. Clause 46(2) already ensures that notices may be served only where the imposition of a disclosure requirement is necessary and proportionate. Those tests remain in place under the new construction that we are proposing for Clause 46.
Amendment No. 150 suggests that a person served with a notice should be given a reasonable time to comply with it, and that the authorising officer should take account of the technical difficulties of performing the disclosure in setting a requirement by when compliance must take place. We resisted a similar amendment in Committee in another place. I shall reiterate what we said then.
What constitutes a "reasonable" time to comply with a notice will undoubtedly vary from case to case and will depend on a number of factors. The technical capacity or expertise of the body or individual on whom the notice is served is one consideration. But it is not the only one. Whether there are particular time pressures on an investigation is clearly another consideration. Would it be reasonable, for example, to require an urgent response to a notice in genuine life and death circumstances? We might legitimately argue that it would. In other cases, a slower response might suffice. But those are questions for the person authorising the use of the decryption power to properly weigh up in the light of the particular circumstances of the case. We shall cover all those issues in the code of practice.
As we also pointed out, the Bill as drafted provides a reasonable safeguard against unreasonable demands being made at Clause 49(3)(a) by providing a defence to the offence of failure to comply. We retain that defence in the new construction of the offence in Clause 49.
I hope that that full explanation will enable the noble Earl to withdraw the amendment.
I am grateful to the Minister for his response, which was, indeed, helpful. It may be that we shall return to this matter at a later stage. I remain keen on phraseology along the lines of "reasonable in the circumstances", but I take the Minister's point in relation to the code of practice, which I hope it will be possible for us to see. For the moment at least, I beg leave to withdraw the amendment.
moved Amendment No. 152A:
Page 50, line 41, at end insert--
("(4A) Where it appears to a person with the appropriate permission--
(a) that more than one person is in possession of the key to any protected information,
(b) that any of those persons is in possession of that key in his capacity as the officer or employee of any body corporate, and
(c) another of those persons is the body corporate itself or another officer or employee of the body corporate, a notice under this section shall not be given, by reference to his possession of the key, to any officer or employee of the body corporate unless he is a senior officer of the body corporate or it appears to the person giving the notice that there is no senior officer of the body corporate and (in the case of an employee) no more senior employee of the body corporate to whom it is reasonably practicable to give the notice.
(4B) Where it appears to a person with the appropriate permission--
(a) that more than one person is in possession of the key to any protected information,
(b) that any of those persons is in possession of that key in his capacity as an employee of a firm, and
(c) another of those persons is the firm itself or a partner of the firm, a notice under this section shall not be given, by reference to his possession of the key, to any employee of the firm unless it appears to the person giving the notice that there is neither a partner of the firm nor a more senior employee of the firm to whom it is reasonably practicable to give the notice.
(4C) Subsections (4A) and (4B) shall not apply to the extent that there are special circumstances of the case that mean that the purposes for which the notice is given would be defeated, in whole or in part, if the notice were given to the person to whom it would otherwise be required to be given by those subsections.").
On Question, amendment agreed to.
[Amendments Nos. 153 and 153A not moved.]
moved Amendment No. 158A:
Page 51, line 5, at end insert--
("( ) In this section "senior officer", in relation to a body corporate, means a director, manager, secretary or other similar officer of the body corporate; and for this purpose "director", in relation to a body corporate whose affairs are managed by its members, means a member of the body corporate.").
On Question, amendment agreed to.
Clause 46, as amended, agreed to.