Relevant documents: Pre-legislative scrutiny by the Joint Committee on the Draft Investigatory Powers Bill, Session 2015-16, 1st Report from the Joint Committee on Human Rights, 2nd Report from the Delegated Powers Committee, 3rd Report from the Constitution Committee
Clause 58: Power to grant authorisations
My Lords, we recognised during the passage of the Bill thus far that care must be applied to the acquisition of internet connection records—in particular, that they should not be acquired for trivial purposes. Their value to law enforcement has been widely recognised, and the Bill, as introduced, already restricts access to four specific purposes. In addition, local authorities cannot acquire them for any purposes.
However, in response to a suggestion from the shadow Home Secretary in the House of Commons, the Government committed to consider further restrictions which would provide greater reassurance that the powers to acquire internet connection records would only ever be used proportionately. These amendments therefore apply a threshold to the acquisition of internet connection records when the statutory purpose is for the prevention and detection of crime. This means that they will be able to be acquired only for offences that are sufficiently serious that an offender can be sentenced to at least six months’ imprisonment.
In implementing this threshold, however, it is important that internet connection records can continue to be used for certain offences which, for whatever reasons, carry a lower sentencing limit. I am sure that noble Lords will agree that internet connection records should be available for these offences. These are: the investigation of any offence where the sending of a communication is an integral part of the offence: for example, offences related to stalking, cyberbullying and harassment which can, if not investigated, quickly escalate to more serious offences; offences relating to breach of a person’s privacy, such as stealing personal data, which recognises the importance of protecting privacy in the digital age and the need to fully investigate any suspected breaches; offences committed by corporate bodies—for example, corporate manslaughter, where a penalty of imprisonment cannot apply; and any offence meeting the serious crime threshold in the Bill for the most intrusive powers, ensuring that these powers can be used to investigate offences involving the use of violence, conduct that results in substantial financial gain and conduct by a large number of people in pursuit of a common purpose.
A number of consequential amendments are made as a result of this amendment. The Government and law enforcement are clear about the value and importance of accessing internet connection records to prevent and detect crime, and to keep the public safe. That has been recognised during the passage of this Bill thus far, including by noble Lords at Second Reading. The amendments build significantly on the safeguards that the Bill already applies to the acquisition of communications data. They are based on the amendments proposed by the Opposition in the House of Commons and they will ensure public trust in the use of these vital powers. I beg to move.
My Lords, the restrictions on using internet connection records set out in these amendments are welcome. However, we intend to propose the removal of internet connection records from the definition of communications data that the Secretary of State can require a telecommunications operator to retain when we come to debate Clause 83. The intended effect of that amendment would be to make it impossible to obtain internet connection records unless they were retained by the telecommunications provider for its own business purposes. I will leave any further comment on internet connection records until we reach Amendment 156A to Clause 83.
We welcome the spirit of the Government’s amendments, which, as the noble and learned Lord said, seek to fulfil the commitment the Government made during the passage of the Bill in the Commons to introduce a clear and appropriate threshold for accessing internet connection records. The concern was that access should not be available in connection with non-serious crime. The threshold for serious crime appears workable and appropriate.
We welcome, too, the fact that specific offences such as stalking and harassment have been addressed and can lead to access to ICRs. However, we have continuing concerns around the definition of “relevant crime”, which we feel is too broad and could still lead to the use of ICRs in connection with crimes that would not be regarded as serious. Last April, the then Home Secretary told the shadow Home Secretary that restricting ICRs to serious crime would: hamper the ability of the police to investigate online stalking and harassment; disrupt police investigations of online grooming or the sending of sexual communications to a child; reduce the ability to investigate online fraud; hinder the ability to identify and disrupt the sale and distribution of illegal material online, including illegal weapons, counterfeit medicines or illegal drugs; and prevent the police from progressing investigations where there may be a threat to life, but where it is unclear whether a crime is involved—for example, locating a missing or suicidal child—because many of these activities would not meet the serious crime threshold.
We do not disagree with the intention set out in that communication from the Home Secretary to the shadow Home Secretary, but if the Government have a list of specific offences or types of offences which they feel fall below the serious crime threshold but should not be subject to a restriction on access to ICRs, perhaps that is a matter that needs further discussion about what should be included on the list or what should be covered. We wish to see the wording in the government amendment tightened further. We would want to work with the Government on this while the Bill is progressing through its stages in this House. I hope that the Minister, on behalf of the Government, will feel able to indicate that he is willing to have further discussions on this and the wording of the amendment in the light of our concerns about the apparent broad nature of the definition of “relevant crime”.
My Lords, I am obliged to the noble Lord. I welcome the suggestion that we are at least heading in the right direction with regard to these amendments. We would of course be open to further discussions on this topic so we can address more fully what is a relevant crime in this context. I will add that one has to bear in mind that these potentially intrusive orders will be made only where it is necessary and proportionate. That is the test that exists, but I welcome the opportunity for further discussion with noble Lords.
Amendment 115 agreed.
My Lords, I shall speak to Amendment 116 in my name and that of my noble friend Lady Hamwee. We also have our names to Amendments 154 and 235 in this group.
These amendments relate to a government commitment not to require telecommunications operators to retain third-party data. On
“will not include powers to force UK companies to capture and retain third party internet traffic from companies based overseas”.—[
However, Clause 58(5)(c) states:
“An authorisation … may, in particular, require a telecommunications operator who controls or provides a telecommunication system to obtain or disclose data relating to the use of a telecommunications service provided by another telecommunications operator in relation to that system”.
Surely this means third-party data.
Amendment 116 would alter Clause 58(5)(c) to read, “may not require”. The key point here is that telecommunications companies should not be forced to obtain third-party data. The draft code of practice on communications data states at paragraph 2.61:
“A data retention notice can never require a CSP to retain the content of communications or third party data”.
Paragraph 2.66 states:
“A CSP cannot be required to retain third party data as part of an ICR”.
Amendment 154 would add a new subsection to Clause 83(2)—the clause headed “Powers to require retention of certain data”—to make explicit that a retention notice may,
“not require a telecommunications operator to retain any third party data, unless that data is retained by the telecommunications operator for its own business purposes”.
This is to distinguish between communications data that the telecommunications operator may have and being forced to acquire third-party data that it does not have.
Amendment 235 would restrict the definition of communications data in Clause 233(5) so that it relates to the provision of the service by that operator and not a third party. I beg to move Amendment 116.
My Lords, I have added my name to Amendment 154 and will not repeat what has been said about it. It simply asks the Government to make explicit what they have said—namely, that the retention of third-party data will not be required. It would be helpful to make that clear in the Bill.
My Lords, as the noble Lord, Lord Paddick, has explained, these three amendments all deal with the issue of third-party data. Amendment 116 seeks to prevent public authorities from acquiring third-party data, Amendment 154 seeks to put the Government’s commitment not to require retention of third-party data on to the face of the Bill and Amendment 235 seeks to amend the definition of communications data to exclude from it third-party data.
On the acquisition of third-party data, the Bill maintains the existing position under RIPA that public authorities can acquire third-party data where necessary and proportionate to do so. But I want to be clear here—a provider is required to comply with a request for communications data, including a request for third-party data, only where it is reasonably practicable for them to do so. It is absolutely right that, where a communications service provider holds, or is able to obtain, communications data, whether in relation to their own services or those provided by a third party, then the data should be available to public authorities for the statutory purposes in the Bill. Put simply, data that already exist, are already held and which could save a life, convict a criminal, prevent a terrorist attack or provide an alibi, should not be put out of reach of law enforcement based solely on which company it is that holds the information.
Amendment 154 deals with the retention of third-party data. As I am sure the noble Lord knows, this matter was considered in the Commons, where the Government gave a commitment to consider it further. I am grateful to the noble Lord and the noble Baroness for tabling this amendment and giving me an opportunity to update the Committee on those considerations. My right honourable friend the Home Secretary has given a clear commitment that we will not require a telecommunications operator to retain third-party data, and that commitment is given effect to in the Communications Data Draft Code of Practice. However, distilling that commitment into primary legislative drafting is complex. We do not want to include provisions in the Bill that are not entirely clear in scope or which put in place restrictions that are broader, or indeed narrower, than intended. But we have been making good progress and are close to a provision that we think achieves the desired outcome. Of course, we need to test that drafting with operational stakeholders and with those telecommunications operators likely to be affected by the legislation, but we hope to be able to return to this issue on Report.
Finally, on Amendment 235, the principle of what are communications data is clear. Changing that position so that the classification of data changes depending on which provider holds them would no doubt cause confusion among providers as to how the data should be handled. While I understand the concerns around third-party data, and hope that what I have said today lays some of those to rest, amending the definition of communications data is not the right way forward. I invite the noble Lord to withdraw Amendment 116.
I am grateful to the Minister for his explanation and am encouraged by the promise of government amendments on Report. I have to say that I am still a little confused. The former Home Secretary, in her commitment, said that third-party data of telecommunications operators from abroad would not be required to be retained by UK telecoms operators. If the third-party data are of a different UK telecoms operator, surely the Secretary of State can make an order to get the data from that operator. But I will read carefully in Hansard what the Minister has said. As he has made a commitment, we will come back to this on Report. For the moment I beg leave to withdraw the amendment.
Amendment 116 withdrawn.
My Lords, in moving Amendment 119, I will also address Amendment 202 in this group. At Second Reading, the noble Lord, Lord Birt, made an impassioned speech which echoed my thoughts exactly. What most of us experience as crime related to the internet are the daily attempts to pick our pockets and to mug us in other ways which crowd our inboxes, even with all the filters that are in place in Parliament and much more so on one’s private email. This is the experience of the average citizen of the internet: a caricature of a Dickensian London street, a place where you always have to be on your guard, where it is not safe to be.
In the Bill the Government are giving themselves the power, potentially, to help us do something about that. These amendments are intended to probe whether the Government have gone far enough to enable them to put those things into effect. When they talk about “serious crime”, they are talking of the equivalent of murder. But “serious” to us is small crimes, repeated in large numbers, every day, which are much more likely to have an effect on us—indeed, on every citizen.
Once the Government have the access to data that they are seeking in the Bill, they have the power to help us. They can warn us, “Hang on, you’ve been on a website that’s probably infected, you ought to do something about that”, because they know everything we have done on the internet, potentially; or they can start to do that, or they can explore the possibility of helping us.
Noble Lords who were here for the debates on identity cards will remember the great issues of principle we discussed then. But the sort of information we were afraid to give a Government we give every day to Google. You give it to Nintendo if you play Pokémon GO. We are astonishingly willing to part with our information if we get something back.
However, the contract that the Government advertise in the Bill means that they get all our information and we personally will probably not get anything back, because the ills that the Government seek to address are large and rare. They are extremely unlikely to affect us directly, except emotionally of course. Crimes on the scale of a downed aircraft will directly affect a very small proportion of us. If the Government want to do us all good and to gain consent for the access to data which is involved in the Bill, surely the best way to do it is to copy the successful commercial examples and give us all something back, for this to be seen as a good thing in our daily lives. I hope that my amendments will elicit from the Government that they have given themselves sufficient power in the Bill to do us that bit of daily good, should they or we ever be able to persuade a Home Secretary that it was worth doing. I beg to move.
My Lords, Clause 58 is the first clause of Part 3 of the Bill and deals with the targeted obtaining of communications data. It provides the power for only those public authorities listed in Schedule 4 to the Bill to authorise conduct to obtain communications data. Obtaining communications data may be authorised only when necessary for one of the statutory purposes listed in Clause 58(7) and where the conduct authorised is proportionate to what is sought to be achieved. Similarly, Clause 146(2) provides the statutory purposes for which a bulk communications data acquisition warrant will be considered necessary. Those purposes mirror the statutory functions of the security and intelligence agencies, since bulk warrants are of course available only to those agencies. They are where it is,
“in the interests of national security”,
for the prevention or detection of serious crime, or
“in the interests of the economic well-being of”,
the UK where relevant to national security.
Throughout the passage of the Bill, we have heard repeatedly of the vital importance of communications data for the full range of law enforcement activity and national security investigations. This Government are committed to ensuring that law enforcement and the intelligence agencies have the tools they need to carry out the critical responsibilities that Parliament has placed upon them. Indeed, one of the key aims of this legislation is to ensure that investigatory powers are fit for a digital age and that crime can be investigated wherever it takes place, regardless of the method of communication. However, the Government consider these amendments unnecessary for targeted communications data and an inappropriate extension of responsibilities for our intelligence agencies for bulk communications data.
The Bill already provides that communications data may be acquired for the purpose of preventing or detecting crime, wherever that crime takes place and whatever scale it is on, where an application for communications data meets the requirements for necessity and proportionality. So it would already be available for the purpose of suppressing less serious crimes perpetrated on a large scale. I commend the aim of my noble friend Lord Lucas’s amendment but I believe that the Bill already provides the powers that he seeks.
As I said earlier, the bulk acquisition of communications data is available only to the intelligence agencies, whose statutory functions relate to serious crime and national security. The inclusion of a statutory purpose to obtain communications data in bulk so that our intelligence agencies could suppress less serious crime would therefore, in my submission, be inappropriate.
I hope that my noble friend finds those comments helpful and will feel able to withdraw his amendment.
Moved by Earl Howe
120: Clause 58, page 47, line 33, at end insert—“( ) The fact that the communications data which would be obtained in pursuance of an authorisation relates to the activities in the British Islands of a trade union is not, of itself, sufficient to establish that it is necessary to obtain the data for a purpose falling within subsection (7).”
Amendment 120 agreed.
Amendment 121 not moved.
Amendment 122 had been withdrawn from the Marshalled List.
Clause 58, as amended, agreed.
Moved by Earl Howe
123: After Clause 58, insert the following new Clause—“Restrictions in relation to internet connection records(1) A designated senior officer of a local authority may not grant an authorisation for the purpose of obtaining data which is, or can only be obtained by processing, an internet connection record.(2) A designated senior officer of a relevant public authority which is not a local authority may not grant an authorisation for the purpose of obtaining data which is, or can only be obtained by processing, an internet connection record unless condition A, B or C is met.(3) Condition A is that the designated senior officer considers that it is necessary, for a purpose falling within section 58(7), to obtain the data to identify which person or apparatus is using an internet service where—(a) the service and time of use are already known, but(b) the identity of the person or apparatus using the service is not known.(4) Condition B is that—(a) the purpose for which the data is to be obtained falls within section 58(7) but is not the purpose falling within section 58(7)(b) of preventing or detecting crime, and(b) the designated senior officer considers that it is necessary to obtain the data to identify—(i) which internet communications service is being used, and when and how it is being used, by a person or apparatus whose identity is already known,(ii) where or when a person or apparatus whose identity is already known is obtaining access to, or running, a computer file or computer program which wholly or mainly involves making available, or acquiring, material whose possession is a crime, or(iii) which internet service is being used, and when and how it is being used, by a person or apparatus whose identity is already known.(5) Condition C is that—(a) the purpose for which the data is to be obtained is the purpose falling within section 58(7)(b) of preventing or detecting crime,(b) the crime to be prevented or detected is serious crime or other relevant crime, and(c) the designated senior officer considers that it is necessary to obtain the data to identify—(i) which internet communications service is being used, and when and how it is being used, by a person or apparatus whose identity is already known,(ii) where or when a person or apparatus whose identity is already known is obtaining access to, or running, a computer file or computer program which wholly or mainly involves making available, or acquiring, material whose possession is a crime, or (iii) which internet service is being used, and when and how it is being used, by a person or apparatus whose identity is already known.(6) In subsection (5) “other relevant crime” means crime which is not serious crime but where the offence, or one of the offences, which is or would be constituted by the conduct concerned is—(a) an offence for which an individual who has reached the age of 18 (or, in relation to Scotland or Northern Ireland, 21) is capable of being sentenced to imprisonment for a term of 6 months or more (disregarding any enactment prohibiting or restricting the imprisonment of individuals who have no previous convictions), or(b) an offence—(i) by a person who is not an individual, or(ii) which involves, as an integral part of it, the sending of a communication or a breach of a person’s privacy.(7) In this Act “internet connection record” means communications data which—(a) may be used to identify, or assist in identifying, a telecommunications service to which a communication is transmitted by means of a telecommunication system for the purpose of obtaining access to, or running, a computer file or computer program, and(b) comprises data generated or processed by a telecommunications operator in the process of supplying the telecommunications service to the sender of the communication (whether or not a person).”
Amendment 123 agreed.
Clause 59: Additional restrictions on grant of authorisations
Moved by Earl Howe
124: Clause 59, page 48, line 1, at beginning insert “the investigation or operation concerned is one where there is an exceptional need, in the interests of national security, to keep knowledge of it to a minimum,(ba) there is an opportunity to obtain information where—(i) the opportunity is rare,(ii) the time to act is short, and(iii) the need to obtain the information is significant and in”
My Lords, in moving Amendment 124 I shall speak also to Amendment 127. We consider the requirement for an authorising officer to be independent of the operation or investigation being worked on an important safeguard and intend the exceptions to be drawn as narrowly as possible. That is why we welcomed the Intelligence and Security Committee amendments on this in the House of Commons and why we have tabled these amendments, which fully reflect the substance of the ISC’s intention and more narrowly define the national security exceptions. I beg to move.
My Lords, my noble friend Lady Hamwee and I have Amendment 126 in this group. It attempts to challenge the fact that the size of the relevant public authority, which may make it difficult to find a senior officer independent of the investigation to which the authorisation relates, makes it an exceptional circumstance, which it would be if the Bill is accepted as drafted.
My Lords, Amendment 126, as the noble Lord, Lord Paddick, has just explained, concerns the independence of the authorising officer. As I mentioned a moment ago, the Bill provides for a very limited set of circumstances in which the designated senior officer need not be independent of the investigation or operation; for example, where delays in locating an independent officer may pose a threat to life, or in specific cases where the interests of national security prevent it. As we have heard, the intention behind the amendment is to ensure that an authorising officer is always, without any exceptions, independent of the investigation. I beg the noble Lord’s pardon.
I am grateful to the noble Earl for giving way. We entirely accept that some public authorities will be so small, or some investigations so important, that there cannot be someone independent of the investigation who can give the authority. As the Bill is drafted, however, simply the size of the public authority is seen as an exceptional circumstance. It is not an exceptional circumstance and the amendment attempts to allow the size of the authority to be a reason why an independent senior officer cannot give the authority without making it an exceptional circumstance.
I am very grateful to the noble Lord. He is right: in some small public authorities there will be only a small number of staff sufficiently senior to take on this important responsibility. Where he and I part company is over the question of whether the rank of the designated senior officer should be lowered to ensure that there are sufficient numbers of them to always be independent of the investigation. I do not feel able to agree to that, because to do so would lower the safeguards that form an integral part of the communications data regime. Equally, I am afraid the Government are not prepared to remove these powers from some of the smaller authorities. They may be small, but they often do vital work in keeping the public safe and investigating crime.
I would be happy to discuss this further outside the forum of Committee, if that would help the noble Lord. I understand where he is coming from, but we have a fundamental disagreement of view on this.
I would just add that we do not disagree that a public authority may be so small that there is no independent senior officer who can grant the authority; the problem is whether that situation would amount to an exceptional circumstance. However, I would be very happy to discuss that situation with the noble Earl between now and Report.
Amendment 124 agreed.
Amendment 125 had been withdrawn from the Marshalled List.
Amendment 126 not moved.
Moved by Earl Howe
127: Clause 59, page 48, line 2, leave out “being” and insert “is”
128: Clause 59, page 48, line 5, leave out subsections (4) to (6)
Amendments 127 and 128 agreed.
Amendment 129 not moved.
Clause 59, as amended, agreed.
Clause 60 agreed.
Clause 61: Duration and cancellation of authorisations and notices
Moved by Earl Howe
130: Clause 61, page 49, line 21, after “authorisation” insert “—( ) may cancel it at any time, and( ) ”
131: Clause 61, page 49, line 22, leave out from second “the” to end of line 23 and insert “requirements of this Part would not be satisfied in relation to granting an equivalent new authorisation.”
132: Clause 61, page 49, line 25, leave out from beginning to end of line 26 and insert “function under subsection (4) is to be exercised where the person who would otherwise have exercised it is no longer available to do so”
133: Clause 61, page 49, line 27, leave out “on whom the duty is to fall” and insert “by whom the function is to be exercised”
Amendments 130 to 133 agreed.
Clause 61, as amended, agreed.
Clause 62 agreed.
Clause 63: Filtering arrangements for obtaining data
My Lords, in moving Amendment 134, which is in my name and that of my noble friend Lady Hamwee, I will also speak to Amendments 135, 142, 144 and 240 and on whether Clauses 63 to 65, relating to filtering arrangements, should stand part of the Bill.
Amendment 134 would amend Clause 63(1) to say that the Secretary of State “may by regulations establish” rather than simply “may establish”. Amendment 240 is consequent on that. Amendment 135 would amend Clause 63(1), so that while the Secretary of State may establish filtering arrangements, she would not “maintain and operate” them herself. In fact, my understanding is that the Government have no idea at this stage who might maintain or operate such arrangements.
I do not intend to speak to Amendment 138, which we will not be moving and do not consider worth debating. Amendment 140 would have added to the duties in connection with the operation of the filtering arrangements—that the Secretary of State shall, in exercising her powers under Clauses 63 to 68, have regard to the general duties in relation to privacy in Clause 2.
To the duty on the Secretary of State to provide a report to the Investigatory Powers Commissioner about the operation of the filter, Amendment 142 adds a duty to lay a report before each House of Parliament about the functioning of the filtering arrangements during the previous year. Amendment 144 requires the Secretary of State immediately to report to the Investigatory Powers Commissioner any processing errors—not just “significant” processing errors—giving rise to a contravention of the requirements of this part.
This feature of the Bill is almost identical to that proposed in the Communications Data Bill. The Joint Committee described it as a government-owned data mining device. I described it on Second Reading as a virtual national database. The noble and learned Lord, Lord Keen of Elie, said that it was not a database. I did not maintain that it was; I said it was a virtual database. My understanding is that this is a search engine that would have real-time direct access to communication databases held by every communication service provider, including, if the Bill is not amended, everyone’s internet connection records.
At the moment, the police and security services, through a single point of contact, make application to communication service providers, which assess the lawfulness of the request and, if satisfied, provide the information. The filter would bypass that important safety check and allow security services to self-authorise access to communication service providers’ data. It would allow complex queries that could provide detailed information about people’s private lives. As the noble Lord, Lord Lucas, said on Second Reading:
“We are producing a resource there that Francis Urquhart would have loved to have his fingers on: absolute knowledge of everyone’s private life”—[Official Report, 27/6/16; col1427.]
The request filter would make life for the police and the security services easier—I say the security services, but I think they have their own systems. Life without the filter would not be impossible for the police, just not easier than it is now. It is therefore not necessary, only desirable and, as such, fails the necessity and proportionality tests for the invasion of privacy.
The Government cannot say what it would look like, where it would be built, who would run it on their behalf or how it would be kept secure. It is a hypothetical virtual database. It would be a dangerous precedent for Parliament to authorise such a device without knowing who would run it and what the security implications would be. I beg to move.
My Lords, I have Amendments 141 and 143 in this group. I very much share the concern of the noble Lord, Lord Paddick, about the request filter. It is an exceptionally powerful system because it will make life so easy. A casual request for data on someone who might possibly be of interest can be done in a moment—you do not have to think about it—rather than tying up resources to such an extent that you probably do not do it.
We are all familiar with the fact that those in the police service are human; doubtless, the people who run this resource will be human. The potential for casual misuse or misuse suborned by journalists will be considerable. On top of that is potential misuse by government. Given that at the moment we do not have an effective Opposition and I suspect that the Bill will effectively pass on the nod, I very much hope that my noble friend will reassure us that not only will there be exact and complete record-keeping for the filter but that those records will be independently inspected, that the results of those inspections will be publicly available and that people who find themselves tied up in nastiness as a result of information which may well have come from the filter will be able to find out whether that has happened.
My Lords, I shall speak briefly on the amendments on the request filter. Along with internet connection records, the request filter is another power that first appeared in the draft Communications Data Bill and which died along with that ill-fated Bill. The view of the pre-legislative Joint Committee on that Bill, on which I sat, was that,
“the Request Filter introduces new risks, most obviously the temptation to go on ‘fishing expeditions’. New safeguards should be introduced to minimise these risks”.
The request filter was described as,
“essentially a federated database of all UK citizens’ communications data”.
I dare say that the committee would be even more worried when it said that in 2012 if it had seen how this Bill expanded the range of data to which the request filter can be applied. That expansion comes from the proposed introduction of internet connection records, which would reveal every detail of a person’s digital life and a very large part of their life in the real world. The effect of the request filter will be to multiply up the effect of intrusion into those data by allowing public authorities to make complex automated searches across the retained data from all telecoms operators. This has the potential for population profiling and composite fishing trips. It is bulk surveillance without the bulk label.
Use of the request filter would be self-authorised by the public authority without any judicial authorisation at all. The concept that the Government promote for bulk data is that they are passive retained records, which they say sit there unexamined until someone comes to the attention of the authorities. That concept is negated by the request filter. The data become an actively checked resource and are no longer passive. Will the Minister confirm that the request filter is not yet in existence and is not yet being used?
The request filter is a bulk power masquerading as an innocuous safeguard to reduce collateral intrusion. Unless and until the Government come forward with proposals to strictly limit use of the request filter through tighter rules and judicial approval for warrants, as is the case with other bulk powers, Clauses 63, 64 and 65 should not stand part of the Bill.
My Lords, I shall use the opportunity that arises from Amendments 140 and 146A to ask the Minister to clarify whether it really is the case that Clause 2 does not automatically affect every power in the Bill. If this was the case, we would be sympathetic to these amendments, as the privacy objective should be considered before any of the powers are used. My understanding was that Clause 2 was a general provision, which affected everything. Indeed, the letter of the noble Earl, Lord Howe, of
My Lords, I find the amendment moved by the noble Lord, Lord Paddick, difficult to understand. He made the point that the filter arrangement makes the operations of the police easier, but it makes them easier by ensuring that they do not inspect communications data which are not relevant to their purpose. It therefore protects privacy rather than threatens it. The filter is governed by the requirements of the rest of the Bill. It will apply the tests of necessity, proportionality and the protection of privacy. It is a protection of privacy rather than a threat to it.
My Lords, Clauses 63 to 65 provide that the Secretary of State may establish, maintain and operate filtering arrangements for communications data—the request filter—and detail the appropriate safeguards and restrictions around its use.
Public authorities currently need to receive all the communications data disclosed by communications service providers in response to specific requests so they can determine which specific pieces of communications data are relevant to their investigation. Public authorities will sometimes need to make complex queries. For example, they may need to ask multiple communications service providers for data to identify an unknown person who is suspected of having committed a crime at three different places at different times. Currently, public authorities might approach communications service providers for location data to identify the mobile phones used in those three locations at the relevant times in order to determine whether a particular phone and a particular individual are linked to the three offences. This means the public authority may acquire a significant amount of data relating to people who are not of interest.
The request filter will mean that when a police force makes such a request, it will see only the data it needs. Any irrelevant data will be deleted and not made available to the public authority. The filter acts as a safeguard, as the noble Lord observed a moment ago, protecting privacy by ensuring that public authorities see only the data they need.
The joint scrutiny committee on the draft Bill stated:
“We welcome the Government’s proposal to build and operate a Request Filter to reduce the amount of potentially intrusive data that is made available to applicants”.
It believed that the requirement upon law enforcement to state the operational purpose for accessing data through the filter and the oversight of the Investigatory Powers Commissioner will ensure appropriate use of the filter.
Clause 64 makes it clear that the request filter may be used to obtain, disclose or process communications data only if the relevant authorisation specifically authorises that use. The designated senior officer must consider that, in addition to the necessity and proportionality concerns provided for in Clause 58, what is being authorised in relation to the filtering arrangements is proportionate to what is sought to be achieved. It also provides that the relevant authorisation must record the designated senior officer’s decisions on the use of the request filter. I therefore take issue with the suggestion from the noble Lord, Lord Strasburger, that the request filter could somehow be used to permit fishing trips, as he termed them. The request filter cannot permit such expeditions. The filtering arrangements can operate only in response to a specific, necessary and proportionate authorisation for the acquisition of communications data. In other words, that request must already have gone through all the existing communications data safeguards, such as authorisation by a designated senior officer. Indeed, the operation of the filtering arrangements will be overseen by the Investigatory Powers Commissioner. Clause 64 makes it clear that the request filter may be used to obtain, disclose or process communications data only if the appropriate authorisations have been made.
Clause 65 provides that the Secretary of State must ensure the application of the appropriate restrictions on the request filter, maintain adequate security measures with regard to the request filter, put in place procedures to ensure its effective functioning and report to the Investigatory Powers Commissioner regarding its functioning on an annual basis, including immediately reporting any significant processing errors. This again underlines the point that the commissioner will be overseeing the operation of the filter.
As the noble Lord observed a moment ago, the request filter will act as a safeguard when it is used. It will accept communications data disclosed by communications service providers only in response to lawful requests from public authorities, and will automatically filter those communications data to ensure that only the data that are required to answer the request are provided to the public authority. In short, it will ensure that police officers and others will see only the information that they really need to in such cases.
In response to the inquiry from the noble Lord, Lord Strasburger, no, there is no request filter in existence at present. In response to the observations from the Baroness, Lady Hayter, she is right. The privacy clause applies to all powers which represent an intrusion into privacy. That has always been the intention since those privacy provisions were placed expressly in the Bill.
I turn to my noble friend Lord Lucas’s amendments. I entirely agree with his intention to ensure that the operation and use of the filtering arrangements are effectively overseen and regulated. I therefore reassure him that the effect of the amendments he has tabled is already fully provided for in the Bill. On record-keeping, Clause 64(3) requires the designated person to record whether the filtering arrangements are used to obtain communications data in pursuance of an authorisation, as well as recording the description of the data that may be processed. These records are additional to the extensive records that the draft code of practice also requires relating to each authorisation.
The Bill also already provides that the Investigatory Powers Commissioner oversees all authorisations for the acquisition of communications data, including those using the filtering arrangements. Clause 63(5) also requires the Secretary of State to consult the commissioner about the principles on the basis of which the filtering arrangements are established, maintained and operated. Clause 63(4) requires the filtering arrangements to involve the generation of information required by the commissioner in his oversight role. Clause 65(6) requires the Secretary of State to report annually about the functioning of the filtering arrangements. I hope this provides the noble Lord with some reassurance.
I hope I can provide some reassurance to the noble Lord, Lord Paddick, regarding Amendment 146A and the operation of the request filter. As I said, the privacy clause in the Bill already requires a public authority to have regard to a number of factors when granting an authorisation or giving a notice to obtain communications data under Part 3 of the Bill. The privacy clause does not make specific reference to the establishment, operation and maintenance of the filter, and we consider that to be the correct approach. Because every request for communications data must be made in accordance with the requirements in the privacy clause, it has to be the case that the design and operation of the filter must allow for those requests to be compliant with that clause anyway.
In addition, the Secretary of State is already bound by the requirements of the Human Rights Act in any actions that she takes, further ensuring that the filter will be designed in such a way that any request made through it is compliant with the requirements of the privacy clause. Accordingly, we do not consider it necessary to make specific reference to the filter in the privacy clause, or to include a provision along the lines of the amendment.
I turn to Amendments 134, 135, 138, 142, 144 and 240. The noble Lord seeks to make a number of amendments to the filtering arrangements provisions that I hope I can reassure him are unnecessary and, in some cases, unhelpful. The filtering arrangements will mean that communications data disclosed by a communications service provider in response to an authorisation will be filtered, and a public authority will see only the data that they need to. Any irrelevant data will be deleted and not made available to the public authority. On Amendments 134 and 240, the detailed provisions, restrictions and safeguards that are in the Bill already preclude the need for regulations.
On Amendment 135, to leave the Secretary of State to establish the filtering arrangements but without a clear lawful basis for the Secretary of State—or anyone else, for that matter—to maintain and operate them makes little sense.
As regards Amendment 142 and an annual report to Parliament, I remind noble Lords that the Bill already provides for the Investigatory Powers Commissioner, who must oversee the functioning of the filtering arrangements, to report annually to the Prime Minister, who must lay a copy of the published report before Parliament.
On error reporting in Amendment 144, the provisions in the Bill already strike the right balance between ensuring that the Investigatory Powers Commissioner—who oversees the operation of the filtering arrangements —is made immediately aware of significant errors and overwhelming the commissioner with reports of minor errors which do not need to be conveyed with such urgency, which would not achieve anything. Aside from ensuring that these significant errors are properly reported, it is of course for the commissioner to determine what information about the operation of the filtering arrangements, including processing errors, he requires to fulfil his oversight duties. A requirement for the filtering arrangements to generate and retain such information as the commissioner considers appropriate is already specifically set out in Clause 63(4).
I assure the noble Lord that the filtering arrangements are a vital part of the Bill and are already subject to strict safeguards set out in the primary legislation. These amendments are therefore at best unnecessary and at worst may weaken some of those safeguards already in the Bill. I invite the noble Lord to withdraw the amendment.
My Lords, I thank the Minister for his response. We were concerned that the privacy provision in Clause 2(1)(d) states that it relates to the grant, approval or cancellation of an authorisation rather than to the establishment of the filter. However, I accept that the use of the filter is covered by Clause 2. I am also concerned about what the noble and learned Lord said about significant processing errors. If even a minor processing error leads to a contravention of the requirements of this part of the Bill, it could be argued that that is a serious matter, whether the processing error is significant or not. However, at this stage I beg leave to withdraw the amendment.
Amendment 134 withdrawn.
Amendment 135 not moved.
Moved by Earl Howe
136: Clause 63, page 50, line 18, leave out from “the” to “or” in line 19 and insert “requirements of this Part in relation to granting the authorisation are satisfied,”
Amendment 136 agreed.
Amendment 137 had been withdrawn from the Marshalled List.
Clause 63, as amended, agreed.
Clause 64: Use of filtering arrangements in pursuance of an authorisation
Amendment 138 not moved.
Moved by Earl Howe
139: Clause 64, page 51, line 31, leave out from “the” to “considers” and insert “other requirements of this Part in relation to granting the authorisation are satisfied)”
Amendment 139 agreed.
Clause 64, as amended, agreed.
Amendment 140 had been withdrawn from the Marshalled List.
Clause 65: Duties in connection with operation of filtering arrangements
Amendments 141 to 144 not moved.
Clause 65 agreed.
Clause 66 agreed.
Schedule 4 agreed.
Clause 67: Power to modify section 66 and Schedule 4
My Lords, Amendments 146 and 147 in this group are also in my name and the name of my noble friend Lady Hamwee. Much concern has been expressed about the number of public authorities that can intrude into people’s privacy, and as a result, restrictions have been put in the Bill. If the Bill is enacted there will be fewer public bodies with that ability, and that is to be welcomed. We therefore do not think it is right that under Clause 67 the Secretary of State should be allowed by regulation to add a public authority. Amendment 145 would delete this power from Clause 67(2)(a) and Amendment 146 would make a similar change to subsection (3).
Amendment 147 would impose a duty on the Secretary of State to consult representatives of local authorities—for example, the Local Government Association—if she intends to make regulations to change a local authority-designated senior officer to someone of lower office, rank or position, in addition to consulting each of the local authorities concerned, as set out in Clause 69(5). I beg to move.
My Lords, these amendments all concern the public authorities that are able to acquire communications data. I should take this opportunity to mention a document which we published last week and which is available in the Printed Paper Office: Operational Case for the Use of Communications Data by Public Authorities. It sets out why it is essential that the authorities listed in Schedule 4 to the Bill are able to acquire communications data. It is important to recognise that the crimes they investigate are not trivial. They include offences such as bribery and corruption, defrauding vulnerable people of their life savings, stealing sensitive personal information and supplying dangerous counterfeit medicines. That document is pertinent to this group of amendments, because Amendments 145 and 146 would remove the ability of the Secretary of State to add public authorities to Schedule 4 by regulations.
I recognise the well-intentioned purpose of the amendments. However, it is not something that the Government can support because it goes against our stated aim of ensuring that the Bill is future-proofed. Although we have no plans to use the regulation-making power, and, indeed, we think it unlikely that any additional authorities will be identified, it would not be good policy to specifically rule it out. That is because communications data are an essential investigative tool for numerous investigations and they are used by a number of different authorities. As I said, we have published the operational case demonstrating why it is so essential that the authorities listed in Schedule 4 continue to be able to use these powers.
As that operational case demonstrates, the authorities that acquire communications data, including the so-called “minor users”, often do so to investigate serious crime and, in some cases, save lives. Should a new investigative body be established—for example, with a remit to investigate a specific type of serious crime—we would want the flexibility to give it the powers that it needed. Similarly, we need to be able to adapt the list if changes in the roles and responsibilities of public bodies mean that it falls out of date.
Of course, there should be full and proper scrutiny of any decisions to provide powers to an additional body. The Government will consider giving powers only where a public authority can make a robust case and, perhaps more importantly, the Bill allows a public authority to be added to Schedule 4 only under the enhanced affirmative procedure. This procedure requires additional consultation above and beyond the affirmative procedure and ensures that a parliamentary committee is provided with an opportunity to consider the draft regulations.
This power has been considered by the Delegated Powers and Regulatory Reform Committee. In her letter to the Joint Committee that scrutinised the draft Bill, my noble friend Lady Fookes reported that the committee accepted the need for the delegated power and welcomed the strengthening of scrutiny procedures under the Bill. She said that,
“the enhanced affirmative procedure ... provides an appropriate level of Parliamentary scrutiny”.
I hope that that reassures the Committee that sufficient scrutiny is already built into the process to ensure that an additional public authority would be added to Schedule 4 only where it had a robust and compelling need for the powers.
On Amendment 147, I hope I can reassure noble Lords that the intent of this amendment is already met by the Bill. Should there be a need to make changes by order to the “designated senior officer” position within local authorities, the Bill already requires the Secretary of State to consult each local authority to which the amendment relates. If the intent of the amendment is to ensure that organisations such as the Local Government Association are consulted, I can also assure noble Lords that the Government regularly consult such organisations and would consult them should we wish to make changes in respect of investigatory powers that affect their members.
However, we do not think that it would be appropriate to include a requirement to consult representatives of local authorities without identifying who that specifically means, particularly when there is already a requirement to consult the local authorities themselves. I hope that that provides reassurance to the noble Lord, Lord Paddick.
Amendment 149 would remove a power that will be used as a safeguard. I am sure that that cannot be the intent of the noble Lord. The provisions in the Bill relating to collaboration agreements provide that, where a collaboration agreement is in place, single points of contact and designated senior officers in one relevant public authority are able to act on behalf of another relevant public authority. The Bill allows the Secretary of State to require authorities to enter into collaboration agreements, where appropriate.
Smaller users of communications data being mandated to request data through the single points of contact and designated senior officers in authorities that acquire communications data more frequently can be an important safeguard. That is because, inevitably, those authorities that request data most frequently will be able to build up more experience and expertise in acquiring communications data, thus reducing the possibility of errors or inappropriate use. Accordingly, the Government do not believe that it would be sensible to remove this potentially important safeguard. I hope that that is helpful to the noble Lord, Lord Paddick, and gives him sufficient comfort at this stage to withdraw his amendment.
Obviously, this is a very important area, which has given rise to a lot of public concern about how widely this would go in terms of all the authorities that might have access to information in this way. But it must be right that, if there is to be a list and it is to bear the power to remove names—which the noble Lord, Lord Paddick, is not suggesting should be deleted—there must be a power to add to the list as well where appropriate. Knowing the way that Governments, bodies and names change, I can see without altering the impact at all that it would be necessary to exercise this power. Could the Minister say a little more about the committee that he was talking about? Is it a standing committee, special committee or advisory committee? When he mentioned the proposal to add somebody to the list, he said that that would be scrutinised by a committee. What sort of committee would that be?
My Lords, I was referring to the procedure relating to the enhanced affirmative process. That procedure is set out in Clause 239 of the Bill. Importantly, it provides for a relevant parliamentary committee to report on the regulations. I do not think that I can be more specific at this stage. The enhanced affirmative procedure has been used in the past, albeit not very frequently, and is there as an additional safeguard. I endorse everything that my noble friend said in support of my remarks. He is absolutely right that we cannot foresee at this stage the need to add to the list, but we must and should provide for the circumstances where that becomes necessary.
I am grateful for the noble Earl’s explanation. The noble Lord, Lord King of Bridgwater, raised this important concern that people have about the range of public authorities that will be able to access this data. There is a real concern that the Secretary of State by regulation can simply add to the list included in the Bill. As a general principle, to have provisions in a Bill in order—to quote the noble Earl —to future-proof it, even if those are unlikely to be used, is not the ideal way forward. However, the enhanced affirmative procedure does give some reassurance on that issue.
On the other matters, I will read carefully what the noble Earl has said, but at this point I beg leave to withdraw the amendment.
Amendment 145 withdrawn.
Amendment 146 not moved.
Clause 67 agreed.
Clause 68 agreed.
Amendment 146A not moved.
Clause 69: Local authorities as relevant public authorities
Amendment 147 not moved.
Clause 69 agreed.
Clauses 70 to 72 agreed.
Moved by Lord Strasburger
147A: After Clause 72, insert the following new Clause—“Authorisation to obtain data from an internet connection recordAn authorisation to obtain data from an internet connection record is not to have effect until such time (if any) as a Judicial Commissioner has approved it.”
My Lords, I rise to speak to Amendment 147A in my name and that of my noble friend Lord Paddick. My noble friend also has Amendment 156A in this group and he will speak to that amendment; I may have something to add on it after he has spoken.
Amendment 147A requires a judicial commissioner to authorise requests to obtain data from internet connection records. As it happens, this is a very hot topic because only this morning an Advocate-General of the European Court of Justice issued his opinion in the case brought by Tom Watson and, before his appointment to the Cabinet, David Davis. Of course this is not the final judgment of the court, but it is usual for it to confirm an Advocate-General’s opinion. This case concerns the Data Retention and Investigatory Powers Act 2014, one of the Acts that this Investigatory Powers Bill seeks to replace.
In particular, the ruling addresses the legality and the safeguards around the speculative retention of communications data. As such, it is of direct relevance to the provisions in this Bill regarding the retention of communications data and the retention of internet connection records. So I have discarded most of my speech and instead I will let the Advocate-General’s words speak for Amendment 147A on my behalf. At paragraph 236 of his ruling he states:
“Lastly, I would add that, from a practical point of view, none of the three parties concerned by a request for access is in a position to carry out an effective review in connection with access to the retained data. Competent law enforcement authorities have every interest in requesting the broadest possible access. Service providers, who will be ignorant of the content of any investigation file, are incapable of checking that requests for access are limited to what is strictly necessary and persons whose data are consulted have no way of knowing that they are under investigation, even if their data is used abusively or unlawfully … Given the nature of the various interests involved, the intervention of an independent body prior to the consultation of retained data, with a view to protecting persons whose data are retained from abusive access by the competent authorities, is to my mind imperative”.
So the Advocate-General is saying that, because the police have a strong interest in the request for the data, and because the service providers cannot judge the merits of the request, and because the subject of the request does not know that it exists, it is imperative, in his words, that an independent body should decide. Incidentally, he goes on to suggest that there could be exceptions in cases of “extreme urgency”.
To my mind, that independent body he speaks of can only be the judicial commissioner, which is precisely what Amendment 147A stipulates. If the Government believe that the independent body could be something other than the judicial commissioner, perhaps the Minister can inform the Committee when he responds, and say how the Government intend to incorporate the Advocate-General’s opinion, should it be confirmed by the court, into this Bill. I beg to move.
My Lords, I wish to speak to Amendment 156A in my name and that of my noble friend Lady Hamwee. Before doing so, I endorse wholeheartedly what my noble friend Lord Strasburger has just said. The decision of the Advocate-General released today appears very much to add considerable weight to the arguments in favour of Amendment 147A.
Amendment 156A is an amendment to Clause 83, headed, “Powers to require retention of certain data”. It would exclude internet connection records from the types of data that telecommunications operators can be required to store, and, as such, would effectively remove the only new provision—the use of internet connection records—from the Bill.
We believe that such an amendment is necessary for several reasons. Internet connection records do not do what the Government claim they do. They do not provide the police and security services with the internet equivalent of the communications data they already have—for example, access to mobile phone provider data. It is far more complex than that. At best, internet connection records provide only details of which communications platforms have been used, most of which are based in the United States.
Whether useful communications data can be accessed depends on voluntary co-operation by the American companies, which is unlikely in all but serious cases—for which there is an alternative. Internet connection records may provide leads, but they are difficult, complex and time-consuming to follow up. They fail the necessity test. The security services—MI5, MI6 and GCHQ—say that they do not need internet connection to be stored by telecommunications operators because they have other ways of securing the data that they need. In serious crime cases, GCHQ can, does and will help law enforcement to secure the communications data that the police need without recourse to internet connection records.
Indeed, there is a co-located joint operations cell in which the National Crime Agency and GCHQ have joined forces to tackle online crime—initially child sexual exploitation, but in the future other online crime as well. This information is in the public domain. At Second Reading, when I suggested that law enforcement could use security service powers instead of ICRs, the Minister said:
“But of course that is neither practical nor effective because many of the powers of the security services produce investigative material that is not admissible as evidence in a court of law”.—[Official Report, 27/6/16; cols. 1459-60.]
It would appear that the National Crime Agency and GCHQ agree with me rather than with the noble and learned Lord. Indeed, case studies that I was shown when I visited GCHQ tend to undermine the Minister’s assertion.
We began Committee stage by looking at RUSI’s 10 principles for the intrusion on privacy. I will quote just one, on “necessity”, which states that,
“there should be no other practicable means of achieving the objective”.
Internet connection records fail the necessity test. The National Crime Agency and GCHQ co-operation shows that there is a practical alternative.
These measures can easily be evaded. Any terrorist or criminal who is the least bit technologically aware can easily and simply avoid giving away any useful communications data derived from internet connection records by using a virtual private network. If you use a VPN, the only internet connection record visible to law-enforcement agencies is the one connection to the secure server operated by the virtual private network provider. If you use a VPN, ICRs will not provide any information about any websites you have visited, or any apps you have used to communicate with other people.
ICRs are unacceptably intrusive on innocent people’s privacy. Those unaware of how to evade internet connection records providing any useful data—there will be a diminishing number of such people as those who are aware seek to make money by publicising VPN services—will have details of every website they visited and every app they have used over a rolling 12-month period stored by private companies. While the communications data beyond the first page of each website are considered by the Government to be content, even the first page can provide sensitive personal information about the individual, and the time when and place where that webpage was accessed.
If you access the Alcoholics Anonymous website, a domestic violence website or a gender-reassignment website, you immediately reveal sensitive personal information about yourself. If your internet connection records show that you do not use your home internet service during working hours on weekdays, they provide information about you’re your home is unoccupied. Much about your lifestyle, personality and whereabouts can be gleaned from internet connection records.
The storage of internet connection records is a security risk. Technology experts claim that there is no such thing as a totally secure database and that commercial companies should assume that their security systems will be breached.
I understand the importance of safeguards, but the noble Lord’s thrust is that he is against the retention of internet connection records in total. He therefore totally disagrees with the impressive Joint Committee of both Houses, which considered the matter at some length. It said:
“We consider that, on balance, there is a case for Internet Connection Records as an important tool for law enforcement”.
Does he disagree?
I am grateful for the chance to clarify my position. That is my position: we disagree with the conclusions of the Joint Committee. We believe, on balance, that the retention of internet connection records is disproportionate and unnecessary.
Technology experts recommend that companies should plan on the basis of their security measures having been breached, not just plan for the security of their databases. This makes highly intrusive personal data potentially available to criminals and hostile foreign powers. If a criminal establishes that a married man is accessing gay websites, or a hostile foreign Government establish that an intelligence officer is accessing lonely hearts websites, that could increase the risk of blackmail or entrapment. Knowing from ICRs when someone is not at home can increase the risk of burglary.
Internet connection records are hugely expensive to analyse and store. Based on estimates from Denmark, where the storage of internet connection records has already been explored extensively, the set-up costs alone in the UK could be around £1 billion. As in the UK, the cost estimates provided by the Government and telecommunications providers in Denmark varied widely. The Government therefore asked independent management consultants to establish the true cost, which confirmed that the telecommunications service providers’ estimates were the correct ones. Extrapolating from the independently verified Danish costs using the relative populations of both countries would take the set-up costs alone for internet connection records in the UK to more than £1 billion.
For those who think that this cannot be right, I should say that 80% of all the data ever created since the beginning of time has been created in the last two years. That is the rate of increase, and, with more and more devices being connected to the internet, such as those controlling our central heating, and with even refrigerators and ovens being connected to the so-called internet of things, the number of internet connection records is set to increase exponentially. Apart from not being able to see communications in among all these other internet connections, the storage costs alone will be enormous.
Taking all these arguments together, the storage of the internet connection records of everyone in the UK for 12 months, whether they are suspected of wrongdoing or not, fails the proportionality test. I quote the RUSI report again, this time on proportionality. It states:
“Intrusion must be judged as proportionate to the advantages gained, not just in cost or resource terms but also through a judgement that the degree of intrusion is matched by the seriousness of the harm to be prevented”.
The advantages gained through the storage of internet connection records are limited, the costs are prohibitive, the degree of intrusion is huge and serious harm can be prevented through other means.
My Lords, the noble Lord, Lord King, touched on the issue of the Joint Committee. It may be useful for your Lordships to hear what it said about ICRs. The noble Lord, Lord King, was quite right in that regard. The Joint Committee said:
“While we recognise that ICRs could prove a desirable tool for law enforcement agencies, the Government must address the significant concerns outlined by our witnesses if their inclusion within the Bill is to command the necessary support”.
The Joint Committee also said:
“We recommend that the definition of Internet Connection Records should be made consistent throughout the Bill and that the Government should give consideration to defining terms such as ‘internet service’ and ‘internet communications service’. We recommend that more effort should be made to reflect not only the policy aims but also the practical realities of how the internet works on a technical level”.
The Joint Committee also recommended that,
“the Government should publish in a Code of Practice alongside the Bill advice on how data controllers should seek to minimise the privacy risks of subject access requests for ICRs under the Data Protection Act 1998”.
The Government accepted the recommendation on a code of practice—and, indeed, on the definitions. However, in general, the majority of members of the committee believed that ICRs are absolutely necessary to protect our citizens and give the security agencies and the law enforcement agencies the tools they need.
My Lords, I rise to speak to Amendment 156A and cite the simple facts about internet connection records. They do not currently exist, would be very difficult and costly to manufacture, have very limited usefulness and collecting and storing them, far from making us safer, would expose everyone in Britain who uses the internet to new and serious risks. In addition, they are highly intrusive into everyone’s private lives and cannot be stored securely by service providers. So it is little wonder, then, that no other western democracy is collecting internet connection records, including the four other members of the “Five Eyes” partnership, the long-standing security alliance between the UK, the USA, Canada, Australia and New Zealand. In fact, the new Australian data retention law specifically excludes the retention of web browsing histories. As for the USA and Canada, David Anderson pointed out in his report that in both countries,
“there would be constitutional difficulties in such a proposal”.
As my noble friend Lord Paddick has already pointed out, Denmark is the only country known to have tried to collect internet connection records—session logs, as they called them. That project was abandoned after a review by the Danish ministry of justice found that it had been of almost no use to the police. The Home Office claims, with some justification, that the proposal in the Bill has some differences from the Danish system but this year the Danish Government came up with a revised scheme that is almost identical to the internet connection records provisions in the Bill. That was promptly abandoned when the prohibitively expensive cost estimates of the Danish service providers were confirmed as accurate by independent accountants. We must ask ourselves: what is it about our country that makes the Government believe that we should be in a stubborn minority of one on this important matter? I hope the Minister will be able to explain it to the Committee.
It is important to understand that internet connection records—ICRs—do not currently exist. Unlike itemised phone bills, which phone companies keep for billing purposes and are the basis of the current communications data regime, communications service providers—CSPs—have no need whatever for ICRs so they do not create or keep them. The Joint Committee heard from many technical and industry experts, including the committee’s two excellent technical advisers, that it would be very far from simple for CSPs to start intercepting these data as they pass through their networks. Each company would have to devise a method suitable for their own systems. They would need to install expensive and complex equipment to carry out “deep packet inspection”, which copies data packets as they fly past on fibre-optic cables. They would then need to process the collected data to find and discard the very large amount of internal housekeeping signals that keep the network healthy but have absolutely no intelligence value. The warnings the committee heard from the service providers about the difficulties of making ICRs happen and their negligible intelligence value echoed what Danish service providers told their Government before they embarked on their ill-fated and wasteful scheme.
However, if some British service providers could do better than their Danish counterparts and succeed in creating internet connection records, it would not make Britons safer; it would make us less safe. I will explain why. The very existence of internet connection records would create more hazards and dangers for the British public than they currently face, and these risks are as good as impossible to mitigate. The first rule of digital security is to not keep any data you do not need because they are all vulnerable. Yet here, we are talking about storing everything that we all do on the internet for 12 months. We should bear in mind that this information would be gold dust to those who would do us harm and would attract the efforts of hackers, blackmailers, criminals and rogue states from around the world. The prize for them would be the details of the private lives of millions of UK citizens: all our personal secrets, including our banking and credit card details; our problems with addiction; our mental and physical health; our sexual proclivities; our financial struggles; our political leanings; our hopes, our worries, our plans—just about everything about our lives.
If the Government attempt to convince themselves and this House that service providers will be able to keep these data safe, they will be deluding themselves and the British public. It is a matter of when, not if, these sensitive data get into the wrong hands. I will explain why. Our service providers make their money from transmitting our data on their way to and from our devices. They are not in the business of storing it securely. The noble Baroness, Lady Harding, who is the chief executive of TalkTalk could, if she were in her place, recount how 156,000 of her company’s customers had their data accessed by hackers last year. In February this year, SWIFT, the interbank financial transaction network, which presumably needs and has much stronger security than service providers, had $81 million stolen in one set of transactions. It would have been much more, but for a simple spelling mistake by the culprits. Canadian police reported in August last year that two clients of the infidelity website Ashley Madison had taken their own lives, following the theft of the personal data of 33 million Ashley Madison customers. Also last year, Chinese hackers stole the details of 4 million US Government employees, including their security clearances.
I could go on but the Committee will be pleased to hear that I will leave it there for now. Suffice it to say that our data are very likely to be hacked and used to steal from us, blackmail us or otherwise harm us and our families. That might happen through a clever cyberintrusion originating in China or North Korea, or in a teenager’s bedroom in Cleethorpes. It may be a disgruntled or greedy insider. It may even be a police officer misusing the proper authorisation channels—and before the Committee discounts that possibility, your Lordships should be aware that over the last five years there were 877 instances of inappropriate data disclosure by police officers to third parties, of which 297 cases resulted in either resignation or dismissal and 70 in a criminal conviction or caution.
The intelligence agencies are clear that they have no need for internet connection records. The policemen who gave evidence to the Joint Committee did not seem to have their hearts in it when they were sent in to bat for ICRs by the Home Office, which has been pushing for this power for years. The new power fails the necessity test. Its usefulness is tiny and its intrusiveness for every citizen is very high, which means that it fails the proportionality test as well. It is technically difficult and very costly to deliver. It opens up a whole new set of risks for innocent internet users, making us substantially less safe, and for all those reasons no other country is doing it. Internet connection records have nothing going for them and should not be part of the Bill.
My Lords, I will speak briefly. The Committee has listened with great interest to the noble Lord, Lord Strasburger, who was a member of the Joint Committee, which agreed unanimously—himself included—to this statement:
“We agree that all of the proposed purposes for which access to ICRs could be sought are appropriate”.
It went on to say:
“Whether ICRs are included or not”— subject to the European Court of Justice—
“we believe that, in light of the ongoing need for communications data and the imminent expiry of DRIPA, a continued policy of some form of data retention is appropriate and that these provisions should accordingly form part of the Bill”.
A number of us have come to this Committee anxious to see the work done under the noble Lord, Lord Murphy, whose chairmanship of the Joint Committee was impressive. We were under the impression that its report was an accurate record. Now the noble Lord, Lord Strasburger, stands up and says something entirely different from what was unanimously agreed in the Joint Committee.
My Lords, I will speak in support of Amendment 156A but I also support Amendment 147A, which was moved by my noble friend Lord Strasburger. I will not go into all the details set out so ably by my noble friends Lord Paddick and Lord Strasburger but there are some key issues which really have to be addressed. It is not good enough, frankly, to say that the Joint Committee may have said this or that; we need answers to the questions that have been posed.
The first question is: why is it that the United Kingdom, as far as I understand it—I hope that the Minister will correct me if I am wrong—uniquely among the “Five Eyes” countries requires this power? Indeed, as far as I understand it this is unique among any equivalent western democracies. I hope the Minister will tell us what is so unique about the situation we find ourselves in. It is not shared by the United States, Canada, New Zealand or any other western democracy.
Secondly, it is important to understand that, at the moment, 25 countries around the world are considering investigatory powers legislation—countries such as India, Pakistan and many others. They are looking towards us and at what we do. We have to think extremely carefully about what we are doing and we must ensure that our questions are answered. It is incumbent on the Government to do that.
We are also in a time of quite a lot of political upheaval. As a result, I doubt many people have been paying a huge amount of attention to the Bill. I imagine the public will be absolutely horrified when they discover that Parliament has granted a power to government to insist on the retention of the details of every single person in this country’s access to every single website. They will want to know why and they will want to know under what conditions of security such information is to be held. They will want to know the cost and whether this Parliament rigorously examined the cost and the need for their data—the data of innocent people—to be held in this manner. It is not good enough for us just to say that this power might be desirable or useful at some point; we have to be clear that it is proportionate, that it can work and that it can be held securely.
Does the noble Lord not remember that some of us tried to anticipate some of these problems and bring in amendments to a previous Bill? We were told then that we must not rush this. This Bill must now have been subject to the most exhaustive scrutiny of any that I can remember. It has been the subject of three independent reports and of scrutiny by a Joint Committee of both Houses, on which the noble Lords, Lord Murphy and Lord Butler, who are present, and other Members served. The noble Lord stands there and suggests that this is some impetuous reaction to a problem that has just arisen. I have been critical—I should have liked to see earlier action—but I accept that the Government decided that the Bill should be subject to the most exhaustive public scrutiny that I can remember for any Bill. In fairness, the noble Lord might recognise that in his speech.
If the noble Lord had been in his place at Second Reading, he would have heard me give exactly that recognition. I recognise entirely the scrutiny and excellent work. I note that it is only because of the actions of people such as the then Deputy Prime Minister, Nick Clegg, that we had that scrutiny. I am grateful that we had it and the Bill is much better as a consequence. I welcome it. That does not mean, however, that as a result of that scrutiny we should abandon our Committee proceedings; it does not mean that those of us who have not served on Joint Committees should not be able to ask questions or seek answers. That is certainly what I will continue to do in this matter.
What is being required is an extraordinary power. We must be absolutely clear about that: it is unique. The noble Lord, Lord King, the Minister or any other noble Lord needs to explain—and nobody has, certainly not in all the proceedings so far in this House—why we, uniquely, need this power. The power is one that even such eminent people as my noble friend Lord Carlile—no slouch on counterterrorism measures—have questioned in the past. Indeed on
“I, Lord Reid, Lord West and others of like mind have never favoured the recording of every website visited by every internet user, though we have been accused of that ambition”.
I hope the Minister will correct me if I am wrong, but as I understand it that is exactly what is proposed: the retention of data on the internet connection records of every internet user in the country. I hope that the Minister will address and answer all the detailed points put by my noble friends Lord Paddick and Lord Strasburger, and tell the House why we, uniquely, need a power required by no other constitutional democracy of a similar type in the world.
I did not say that. Perhaps I can assist the Committee. What I said was that the security services—MI5, MI6 and GCHQ—have told me, in my visits to those agencies, that they do not require the retention of internet connection records for them to carry out their very important work around national security and serious crime. It is not the case, nor did I state, that the National Crime Agency does not support this measure. The National Crime Agency has supported it in its presentations to me. I have been to the National Crime Agency twice, because it failed to convince me the first time, and I am sad to say that it did not convince me the second time either.
I apologise if I misunderstood the reference to GCHQ and the National Crime Agency and the way in which that was phrased. I ought to declare that I am a former non-executive director of the National Crime Agency. I have been very affected in my thinking on this by the extent to which every law enforcement agency that I have spoken to, in particular the National Crime Agency, seems to believe that this is a very necessary power to enable them to have the evidential ability to pursue serious crime. That is where the distinction lies between the intelligence agencies, which are not seeking this as an evidential tool, and the National Crime Agency and other law enforcement bodies, which see it as an evidential necessity. Depending on a relationship between the NCA and GCHQ within the National Crime Agency seems an unlikely way around this. If there is an evidential requirement, we should put that in the Bill and provide it to law enforcement, rather than relying on GCHQ to provide it by some particular piece of machinery within the NCA, because that would not then be available to all those who might need it within law enforcement.
This is also relevant in terms of why, or the extent to which, other countries have not gone down this road. There is plenty of evidence that the United Kingdom has been considerably more successful, particularly in the pursuit and prosecution of paedophile crime online, than a number of other jurisdictions. That is partly because we have provided appropriate powers to law enforcement to be able to pursue this. The UK has been much more successful in terms of prosecution figures for very similar situations to those facing some European countries. We should continue to provide the powers that enable the UK to pursue those sorts of crimes, which are at the moment an absolute wave hitting the law enforcement community. If we do not provide it with the powers, we will leave a situation where very many people who have committed online paedophile crime are not prosecuted. From my point of view, that certainly does not seem a satisfactory way forward.
I am also slightly cautious about the argument that people can always get round this and that anyone applying their best security would not get caught. Almost all investigation, whether intelligence or criminal, relies on those who are criminals or threats to our security not being as good at what they are doing as they hoped. To say that we should not introduce powers because they are not infallible and that if someone applied all security measures they might be able to get around them would mean that we would provide very few powers to either the intelligence services or law enforcement agencies, because someone somewhere might be able to avoid them. Most people, most of the time, do not apply all the security that they could when they are undertaking either national security threats or crime. That is why we can catch them. We should provide as many powers as we can to catch these people before they damage us, and prosecute them afterwards.
My Lords, I, too, was a member of the Joint Committee. This is the first time I have spoken on the Bill, for various reasons, and I pay tribute to the noble Lord, Lord Murphy, who chaired us so splendidly. The Bill has gone through a model of pre-legislative scrutiny. Compared with the state of most legislation that comes to us, it has really been chewed over, not least in the Commons, to improve it further. I am broadly comfortable with it.
It is good that we are looking at these issues because we are pushing the boat out. Inevitably, in the internet age, we are having to do things we have not done before. I understand the practical challenge of keeping internet connection records effectively. The Danish experiment is salutary—they effectively abandoned it. We had a witness from Denmark who explained it all to us: they had tried and failed. I think that the case for having access to internet connection records has been made. There is a document to which no reference has yet been made entitled Operational Case for the Use of Communications Data by Public Authorities—that is, other than the police—which lists about 20 authorities, such as the Financial Conduct Authority, and sets out case by case the value of having such records. I was with the majority on the committee which felt the case has been made in principle.
The Bill sets out various checks and balances. The companies which will be required to keep these records have a right to appeal against the notice and that must be discussed with the Information Commissioner to ensure that what is being asked of them is practically possible. They must put in place adequate security systems to ensure that the internet connection records which are retained are properly secure.
There are practical questions because we are pushing the boat out a bit internationally as to how this is to be achieved and how much it will cost. As I understand it, the cost will not fall on the companies concerned but will be reimbursed to them by the Government. It would be helpful to know the latest estimate of those costs. I have a feeling that it was about £200 million when we met in the committee, but it would be good to know just what it may cost.
At the end of the day, we live in an ever more fragile and dangerous world and there are good reasons for thinking that that will be the case in future. If we can add this tool with proper safeguards to the police and other agencies it is well worth doing, but we should not underestimate the practical difficulties of being the first country to do this effectively; there are real questions there.
My Lords, after a good deal of thought, my conclusion is that I support the conclusions of the Joint Committee, not the amendments. I previously joined the noble Lord, Lord King, in trying to bring provisions such as this to the statute book rather more urgently. I agree with his comment that it is the most scrutinised Bill we have ever seen—certainly in my more than 30 years in one or other House of Parliament. It was published with three independent reports supporting it, one of which, David Anderson’s report, was extremely complete and considered every aspect of the proposed legislation. It comes to this House with more documents published by the Government, including some of the inner work of GCHQ, than we have ever seen before. It is a great tribute to GCHQ that it accepted the advice that many people outside its establishment gave to it that it should reveal more of what it is doing. I absolutely agree with what has been said by the noble Lord, Lord Evans, who had great experience of these matters throughout his career, until he entered your Lordships’ House.
What are we really trying to achieve? I think that we are trying to achieve what we already do when we have the opportunity to do it. There is a clear analogy here with mobile telephony records. As the Crown Prosecution Service has said, in 95% of the serious cases that are tried—when there is a not guilty plea, in other words—in the Crown Courts, mobile telephony records and cell site analysis are used as an extraordinarily powerful tool contributing to the conviction of very serious criminals.
On this occasion, I am not going to bore your Lordships with anecdotes about cases that I and other noble Lords have been involved in, for the simple reason that there are far too many cases to describe from those anecdotes in which mobile telephony records have been used to good effect. What technique is used—or has been used up to this stage, until this Bill is enacted—for accessing mobile telephony and internet connection records? Where they are available, the police and other authorities try to obtain access to them; when they obtain access to them, they can track the activities of the people whom they suspect—and, when they can track those activities to good, evidential effect, they use them. The result of that is to be able to put extremely powerful evidence before the courts. All that we are trying to do in this Bill is to create a reliable system that is as uniform as possible so that this type of information can be used in all cases.
Underlying the criticism of this provision is some kind of mythology about the activities of the security services, GCHQ and the police. There seems to be a myth about that they are so bored, so inactive, so idle and inert and suffer from such excessive curiosity that they have the time to look at the completely uninteresting, irrelevant internet records of any member of the public for something to do. That is an appalling suggestion, quite apart from the extremely strong discipline exerted—and I looked at this in some detail when I was Independent Reviewer of Terrorism Legislation and subsequently—on members of those security services. There are some far more experienced than me in this House, sitting in this House today, but I am sure that those noble Lords and noble Baronesses would agree that, if people were so stupid as to use their time in the security services to look up our credit card accounts, for example, they would be in very serious disciplinary trouble. So let us put that canard aside.
Let us also remember that we are not comparing like with like when we talk about other countries. The Joint Committee came to the conclusion—and the Government have, rightly, come to the same conclusion—that the Danish experiment failed because it was different and did not use the most appropriate technology. It was unfortunate for the Danes—they did it before we decided to do it—but the fact is that the Danish experiment is irrelevant to this discussion. Let us not forget, too, the powers of investigators in other countries. We are setting down in this Bill controls of the security services and anybody else who wishes to obtain access to those records, which will be the best controls in the world. We are ahead of the rest of the world in these provisions.
Compare it with what juges d’instruction can do, for example, in France or Belgium. If any one of us is an accused in France or Belgium or any other country on the continent where they have that kind of system, not only will the juges d’instruction have access to those records in any event, and not only do they have powers to direct that they have disclosure of those records to themselves, but the subject will never have the faintest idea that that has been done. Although it is tempting to compare what we do in this country with a number of other countries, it is misleading because no two systems are the same.
I agree with the right reverend Prelate that this proposal has been examined. It has had as objective an examination as one could imagine. It is a matter of record that my noble friend Lord Strasburger, like it or not, agreed with the committee’s conclusion. History will say that he agreed with that conclusion because it is there in the committee’s report. It is now time that we move on, accept that this Bill contains an objective analysis and pass this important set of provisions which will help our authorities to catch the most serious criminals, including hundreds of paedophiles, as alluded to by the noble Lord, Lord Evans.
My Lords, I have not spoken at all on this Bill so far but I should like to make a practical point following what the noble Lord, Lord Carlile, and previous speakers have said. I speak as a former family judge who over the years has been very involved in safeguarding. One of the most important things is to be sure that the police—it is really the police that we are talking about, rather than the security services—have all the tools that they can possibly have to be able to convince a jury, on a prosecution, that a really serious crime has been committed. If this is going to catch even more paedophiles I endorse it, and I hope the House will agree with me.
My Lords, I shall be very brief. As has been said, the provisions of this Bill have been subject to considerable scrutiny. The heart of Amendment 156A is about the balance between privacy, security and safety. Inevitably there will be disagreements, which have been highlighted in this debate, about where an appropriate and proper balance lies.
On Amendment 147A, I have virtually no knowledge about the Advocate-General’s opinion, to which reference has been made. However, if we have that opinion, we would like to hear at some stage whether the Government think that it would have implications for any of the provisions and procedures in the Bill, were that opinion subsequently adopted.
My Lords, Amendment 156A seeks to prevent the retention of internet connection records. The Committee will not be surprised that the Government cannot support such an amendment. We have been absolutely clear about the need for internet connection records. We addressed that when publishing the operational case for these powers.
The right reverend Prelate the Bishop of Chester referred to a model of pre-legislative scrutiny. The noble Lord, Lord Carlile, referred to the most scrutinised Bill ever seen. My noble friend Lord King alluded to the three reports we have had, and the noble Lord, Lord Murphy, spoke about the Joint Committee that he had chaired which scrutinised these matters. Over and above that, we had the evidence given to the Public Bill Committee by, for example, the noble Lord, Lord Reid, and Charles Clarke. They were asked whether they thought that ICR were a key part of updating legislation for the current world, and both agreed definitively. I commend the contents of those three reports to the noble Lord, Lord Oates, and also commend to him the findings of the Joint Committee. He asked whether the UK was unique within the “Five Eyes” or indeed the world in seeking to develop these powers. It may well be that we are the forefront of developing them, and a good thing it be. I quote from the report by David Anderson QC:
“Comparing the UK’s legal regime with those of other countries is fraught with danger”.
I commend to the noble Lord, Lord Oates, what follows in that report because David Anderson develops those points and explains them. It is on the record, we have had it for a long time, we have considered it in the development of the Bill and the Joint Committee considered these matters. That is why the Bill is in its present condition.
The noble Lord, Lord Evans, observed that we have the ability to secure effective police investigations in areas where other countries have failed. I mentioned on a previous occasion the comparison between the results in the UK and Germany regarding the investigation and prosecution of cases involving paedophilia. I do not accept that, because we are ahead of others, somehow we are wrong.
Does the Minister accept that the point is not just that we are in front of other common-law jurisdictions such as the US, New Zealand and Australia but that, in the case of Australia, as alluded to by my noble friend Lord Strasburger, this issue was specifically considered by the Australian Government and Parliament, and the Australian data retention law specifically excludes the collection of such information precisely because it was felt to be a disproportionate invasion of privacy?
I invite the noble Lord to have a little more confidence in the parliamentary procedures in the UK, in the scrutiny that is being given by our institutions to the provisions of the Bill, and even in the Committee procedures of this House. We have looked with care at these matters repeatedly and have come to a view regarding ICRs.
Not just yet. The fact that other jurisdictions may have taken a different view is to be noticed but is not necessarily of any great moment in this context.
I want to deal with the suggestion by the noble Lord, Lord Paddick, that somehow GCHQ could provide the alternative route into all this material, and that somehow the security services would be there at the beck and call of the police authorities in order to in-gather and provide the appropriate information by different means. He asserted that the security services said, “We do not need”. That is far too hard-edged. They have other means but they did not say, “We do not need” in that context.
The noble Lord suggested that I had made an assertion on a previous occasion about the admissibility of certain intelligence acquired by the security services. I did not make an assertion; I made a statement of fact. Intelligence acquired through interception cannot be used as evidence in court. That is the factual position.
This Committee is part of the process of the scrutiny of legislation, and therefore this House should have respect for noble Lords who wish to use it to challenge what the Government are proposing. With regard to the greater success that the UK has had compared with, say, Germany in the prosecution of paedophiles, will the Minister confirm that that is using existing legislation without the use of internet connection records?
On the question of an evidential basis, why, in the operational case for internet connection records, is the need for evidential material not included in any of the examples provided by the National Crime Agency? Why, when I visited the NCA on a couple of occasions, was none of the examples that it gave of a need for evidence that could be presented in court? Indeed, the case studies presented to me at GCHQ confirmed that the work done by GCHQ in conjunction with the NCA was sufficient for the NCA to bring successful prosecutions, notwithstanding that the interception of content is not acceptable in giving evidence in court.
I am most obliged to the noble Lord for his intervention. Of course, I did not accompany him to the NCA, so I do not know what examples he was or was not given, and nor did I prepare or draft the operational examples that he referred to earlier. Of course, there are other means by which evidence may be gathered for the purpose of prosecution, but we are looking to the most effective means of doing this going forward, remembering that people are moving away from telephonic communication—using mobiles and telephone systems—and into the use of internet connection by way of such examples as WhatsApp. Our police forces will be blinded if we allow that development and do not attempt to keep up with such developing technology.
On the question of whether there is an evidential requirement, I note that the noble Lord now acknowledges that there is an evidential requirement in the sense that intelligence gathered by way of interception is not admissible as evidence in court.
The question of the cost of carrying out this exercise was raised. The figure of £1 billion has been put about repeatedly, and the experience in Denmark has been referred to on many occasions. However, one has to look at this from the perspective of the United Kingdom and its approach to this matter. We do not accept the estimate of £1 billion that has been given, and indeed—in response to the inquiry from the right reverend Prelate the Bishop of Chester—the current estimate of costs is about £175 million. Our figures factor in the existing infrastructure and the requirements already placed on individual communications service providers, as well as the technical complexity of their networks in this context.
One has to bear in mind that, for example, the Data Retention and Investigatory Powers Act 2014 and the Counter-Terrorism and Security Act 2015 already provide for the retention of source IP addresses and port numbers, which make up part of an internet connection record. So I cannot accept the assertion from the noble Lord, Lord Strasburger, that none of these records are provided for under existing legislation. Furthermore, the Bill allows the Government to require the retention of communications data, including internet connection records, only when necessary and proportionate. One must not lose sight of that test in this context.
So we consider that a case was made in the reports regarding internet connection records. We entirely agree with the view arrived at by the Joint Committee. The noble Lord, Lord King, has already quoted from its report that,
“on balance, there is a case for Internet Connection Records as an important tool for law enforcement”.
That has been clearly established by the work that has been done. I acknowledge that of course the Committee of this House wishes to scrutinise this legislation, and it is right that it does so, but it is helpful if it does so against the background and with an understanding of the pre-legislative scrutiny that has already taken place, with regard to the three reports and indeed the recommendations of the Joint Committee. So we submit that the ability to require the retention of internet connection records is a fundamental power that will provide substantial benefits to law enforcement and indeed to the security and intelligence agencies. It is in these circumstances that I say that we cannot support Amendment 156A.
I turn for a moment to Amendment 147A, which seeks to require judicial commissioner approval for applications to acquire internet connection records. I hope that I can persuade noble Lords that the amendment is not needed because we already have a stringent authorisation regime in place that protects against the abuse of applications for communications data. Indeed, the noble Lord, Lord Carlile, alluded to the suggestion that somehow our security agencies and police would have such time on their hands that they would simply roam around such communications data for their own amusement. One is entitled, surely, to discount such a proposition.
The Bill contains robust safeguards for every stage of the acquisition of any form of communications data. This includes requiring the use of an expert single point of contact; authorisation by a designated senior officer who is independent of the investigation and who must be of a rank approved by Parliament; comprehensive oversight by the new Investigatory Powers Commissioner; and the new offence of unlawfully acquiring communications data from a telecommunications operator.
On top of those general requirements, there are extra, specific safeguards for the acquisition of internet connection records. So internet connection records will be able to be acquired only if they are needed for one of the four specified investigative purposes—and local authorities, for example, will be barred from acquiring internet connection records in any form. As well as these protections, we have also tabled an amendment that provides for a crime threshold that must be met before internet connection records can be acquired. We addressed this issue earlier. This will prevent their use for low-level crimes.
So while we recognise that there are sensitivities concerning internet connection records, they will, among other things, be fundamental in resolving IP addresses in certain cases. For example, where the telecommunications operator uses technology that allocates the same IP address to a number of different customers, the internet connection record will help to determine the specific individual in whom law enforcement is interested. There has been cross-party agreement that we need to solve the problem of IP address resolution and I cannot see how it would make sense to require judicial authorisation for some types of IP address resolution but not for others, simply because of the technology that a telecommunications operator uses.
If a public authority were considering acquiring internet connection records in a way that was novel or contentious, it would certainly be right for additional safeguards to apply. That is why the draft communications data code of practice requires any novel or contentious application for communications data to be referred to the judicial commissioner. The Government believe that it is absolutely right that novel or contentious cases are referred to the commissioner, but we do not believe that the tried and trusted authorisation system for communications data should be fundamentally changed when there is no evidence that it is not working. Furthermore, none of the three independent reports that we have referred to and which informed the drafting of this Bill—from David Anderson, the ISC and RUSI—suggested or recommended any changes to the authorisation regime for communications data.
Finally, the noble Lord, Lord Strasburger, referred to the recent opinion of the Advocate-General in the case of Watson in the CJEU, which came out this morning. We note what was said in a fairly lengthy opinion. Your Lordships will be aware that that is the opinion of the Advocate-General, not the judgment of the court; a final judgment is anticipated in the autumn of this year. The Government maintain that the existing regime for the acquisition of communications data and the proposals in the Investigatory Powers Bill are compatible with EU law, and clearly it would not be appropriate to comment further while legal proceedings are ongoing. In these circumstances, I invite the noble Lord to withdraw his amendment.
The Minister may have given an impression, which I am sure he did not intend, that by scrutinising the Bill and seeking to do so, noble Lords were somehow not cognisant of the history of the development of these proposals and of the various bits of scrutiny. He should correct that. I myself spent five years in the coalition Government very much involved in these discussions, and one reason I am sceptical about many of the things I hear about why we must do things is because I have heard them before. For example, on the third-party data issue, the Independent Reviewer of Terrorism Legislation David Anderson said in his report that it was unnecessary and no operational case had been made for it. So I want the Minister to be clear on that. Noble Lords are concerned not because they have not studied or are not aware of these things but because they are very much aware of them.
No doubt noble Lords are cognisant of the three reports and the Joint Committee’s recommendations on the Bill. But I sought and seek to remind noble Lords of what those recommendations contained and of the terms of the Joint Committee’s report—particularly as the noble Lord, Lord Strasburger, who was a member of that committee, seemed to think it appropriate to depart from the recommendations which appear to have been made in its report.
My Lords, I thank the House for an interesting and lively debate, which this subject absolutely deserves. I am somewhat disconcerted by an assertion made by the Minister and one or two other noble Lords. Just because the Bill has been heavily scrutinised—I fully recognise that, and if it is the most scrutinised Bill in the history of this House, so be it—it does not mean that we should abandon our role in this House. We have six days in Committee; are we wasting our time attempting to honestly and genuinely scrutinise the Bill before the House? I do not think so. I will save most of my responses to the debate for Report. I will just say quickly to my noble friend Lord Carlile that there is a world of difference between communications data on mobile networks and internet connection records. I will leave it at that for now, and I am happy to withdraw the amendment.
Amendment 147A withdrawn.
Clause 73: Commissioner approval for authorisations to identify or confirm journalistic sources
Amendment 148 not moved.
Clause 73 agreed.
Clause 74 agreed.
Clause 75: Collaboration agreements: supplementary
Amendment 149 not moved.
Clause 75 agreed.
Clause 76 agreed.
Clause 77: Lawfulness of conduct authorised by this Part
My Lords, perhaps this is a bit of light relief. Clause 77(1) defines what conduct is lawful when it comes to obtaining communications data, and Clause 77(2)(a) goes on to say that someone cannot be sued if what they do,
“is incidental to, or is reasonably undertaken in connection with”,
the lawful conduct defined in subsection (1). So far, so good. Clause 77(2)(b) goes on to say that someone cannot be subject to any civil liability in respect of conduct that,
“is not itself conduct for which an authorisation or warrant … is capable of being granted”,
under various acts set out in subsection (3) and,
“might reasonably have been expected to have been sought in the case in question”.
If I understand this correctly—and I am sure I have not—if that conduct could and should have been authorised but was not, they can be sued, but if it was not something that could or should have been authorised, no civil liability arises. Either that cannot be right, or it is capable of misunderstanding and should be changed. Can the Minister put the provision in plain English? Our amendment is probing to ensure that we know what we are dealing with. I beg to move.
My Lords, the provisions on the lawfulness of conduct authorised by Part 3 replicate those that apply currently in the Regulation of Investigatory Powers Act 2000. As we made clear in response to an identical amendment in the other place, the Bill goes no further as regards providing indemnity from civil liability for conduct that is incidental to, or reasonably undertaken in connection with, a communications data authorisation.
The provision as drafted ensures that a person who engages in conduct only in connection with an authorisation cannot be subject to civil liability unless that activity could itself have been authorised separately under a relevant power. That, we submit, must be right. The amendment would remove that provision entirely, which, in effect, would mean that a person acting lawfully under an authorisation that had properly been granted under the Bill would be at risk of civil liability if some incidental or reasonably connected conduct were not expressly covered by the authorisation.
I notice that it is a probing amendment. In those circumstances, I invite the noble Lord to withdraw it.
I thank the noble and learned Lord for what he has said. However, we tabled this probing amendment in order to understand what the provision means. Unfortunately, simply saying that it replicates legislation that is already on the statute book does not really help our understanding. Perhaps the noble and learned Lord can say whether the provision has been applied in the past under the Regulation of Investigatory Powers Act.
I am not in a position to give a specific answer to that question, but I am content to write to the noble Lord on the point.
I am very grateful to the noble and learned Lord for his promise to write on this issue. My question is genuine. Perhaps it is because I am not a lawyer and my brain is not very big, but I contend that the provision is impenetrable. At this stage, I beg leave to withdraw the amendment.
Amendment 150 withdrawn.
Clause 77 agreed.
Clauses 78 and 79 agreed.
Schedule 5 agreed.
Clause 80: Application of Part 3 to postal operators and postal services
Moved by Earl Howe
151: Clause 80, page 62, line 32, leave out from beginning to “were” and insert “sections 58(3)(za) and (Restrictions in relation to internet connection records)”
Amendment 151 agreed.
Amendment 152 had been withdrawn from the Marshalled List.
Clause 80, as amended, agreed.
Clauses 81 and 82 agreed.
Clause 83: Powers to require retention of certain data
Amendments 153 and 154 not moved.
Moved by Earl Howe
155: Clause 83, page 65, line 20, at end insert—“( ) The fact that the data which would be retained under a retention notice relates to the activities in the British Islands of a trade union is not, of itself, sufficient to establish that the requirement to retain the data is necessary for one or more of the purposes falling within paragraphs (a) to (j) of section 58(7).”
Amendment 155 agreed.
Moved by Lord Rosser
156: Clause 83, page 65, line 21, leave out subsection (9) and insert—“( ) In this Part—“relevant communications data” means—(a) communications data of the kind mentioned in the Schedule to the Data Retention (EC Directive) Regulations 2009 (SI 2009/859),(b) internet connection records, or(c) relevant internet data not falling within paragraph (a) or (b);“relevant internet data” means communications data which may be used to identify, or assist in identifying, the sender of a communication (whether or not a person).”
The intention behind this amendment to Clause 83 is to replicate the Data Retention and Investigatory Powers Act in its original form. In so doing, it would restrict the scope of Clause 83 and equate it to existing data retention provisions in DRIPA, with the only addition being the inclusion of internet connection records.
Under the Data Retention and Investigatory Powers Act, the term “relevant communications data”, as I understand it, covers internet access services, internet email and internet telephony. Those categories replicate the 2009 data retention regulations, which implemented the then EU data retention directive. The Counter-Terrorism and Security Act 2015 extended DRIPA to include what was called IP address resolution data.
Clause 83 currently empowers the Home Secretary to issue retention notices covering some six categories of data under the definition of “relevant communications data”. One of these categories is internet connection records. That therefore leaves five other categories, which on the face of it would appear to go wider than the existing data retention categories under the Data Retention and Investigatory Powers Act 2014 as amended by the Counter-Terrorism and Security Act 2015.
As the Bill is currently drafted, the term “relevant communications data” could be interpreted as some sort of catch-all definition of relevant communications data that would cover the collection of virtually any type of communication on a network, including communications where the sender or recipient was not a human being. If that is an accurate assessment, the definition of “relevant communications data” in Clause 83 would cover not only background interactions that smartphone apps make automatically with their supplier servers but presumably also the entire internet of things.
I therefore seek an explanation from the Government as to why the scope of “relevant communications data” in the Bill is not consistent with that in current recent legislation, the reasons and justification for the apparent broadening of the scope, and the difficulties that presumably the Government believe would be caused if the scope of Clause 83 were restricted in line with the amendment and instead equated to existing data retention provisions in DRIPA, apart from the addition of the inclusion of internet connection records. I beg to move.
My Lords, the amendment seeks to amend the definition of “relevant communications data”—that is, the communications data that the Secretary of State will be able to require communications service providers to retain.
“any new law … must be couched in technology-neutral language”.
The Government agree. However, the amendment would go against that advice. It would seek to revert to the technical language from the data retention regulations 2009. This, in turn, as the noble Lord mentioned, was drawn from the EU data retention directive 2006, which was struck down in 2014.
I suggest to the noble Lord that it would be inappropriate to base today’s law on specific tele- communications definitions from a decade ago. For example, the amendment would ensure that we retained a reference to dial-up internet access in our legislation. That surely cannot be appropriate where broadband and mobile internet access are now the norm. The approach we have taken is to keep our definitions technologically neutral, as David Anderson recommended and as, indeed, is sensible in the drafting of any law that needs to apply across a range of technologies over time.
I hope that the noble Lord will recognise that it is not appropriate to tie our data retention regime to specific, and outdated, technological language. Those are the reasons why the Government cannot support the amendment.
Perhaps I may ask a question on that point. Not unfairly, the noble Earl made reference to regulations of some years ago, but presumably it is also accurate to say, and perhaps he could comment on this, that very recent legislation—namely, DRIPA 2014, as amended by the Counter-Terrorism and Security Act 2015—has also used the wording referred to in the amendment. Therefore, it also relates to legislation that is not particularly old and indeed is pretty recent. As I see it, we are making a change in wording from legislation that was passed only a year or two ago.
The noble Lord makes what is, on the face of it, a fair point. We have language, as I have explained, that is out of date. But even where the language is not out of date in the kinds of instances that he refers to—for example, legislation refers to the “international mobile equipment identity” of devices—the rate at which telecommunications change means that that kind of language could become out of date very quickly. We try to read across the data descriptions that originated in the 2006 directive to the communications technologies of today, and do so in technology-neutral language. That is why we have departed from the approach that the noble Lord is advocating.
As the noble Lord will remember, DRIPA was emergency legislation. We simply replicated the existing language in that Bill. We now have an opportunity in the Bill before us to do rather better and try to future-proof the terms that the Bill contains.
Moved by Earl Howe
157: Clause 88, page 67, line 34, at end insert—“( ) The fact that additional relevant communications data which would be retained under a retention notice as varied relates to the activities in the British Islands of a trade union is not, of itself, sufficient to establish that the requirement to retain the data is necessary for one or more of the purposes falling within paragraphs (a) to (j) of section 58(7).”
Amendment 157 agreed.
Amendment 158 had been withdrawn from the Marshalled List.
Clause 88, as amended, agreed.
Clauses 89 to 92 agreed.
Clause 93: Warrants under this Part: general
My Lords, this amendment is one of several in this group in my name and that of my noble friend Lady Hamwee. Amendment 158A probes what is meant by the term “any other information” in terms of the purpose of an equipment interference warrant. Clause 93(2) states that an “equipment interference warrant”,
“requires the person to whom it is addressed to secure interference … for the purpose of obtaining—(a) communications”,
which is defined in Section 126(1); “(b) equipment data”, defined in Section 94; and “(c) any other information”, which is not defined. Can the Minister at least give some examples of what “any other information” means? Amendments 185B and 185C cover the same point in other subsections of Clause 93.
Amendments 158D to 158M and Amendments 169B to 169T make a different point—to try to ensure greater targeting of equipment interference warrants. Clause 95 sets out the subject matter of targeted equipment interference warrants. Clause 95(1)(b) states that the warrant may relate to,
“equipment belonging to, used by or in the possession of a group … who share a common purpose or who carry on, or may carry on, a particular activity”.
Such a broad and potentially large group of people can only in the loosest sense be described as targeted.
Amendment 158J applies the same arguments to targeted examination warrants in Clause 95(2)(b). Similar arguments of not being too broad and not being sufficiently focused apply to Clause 95(1)(f):
“equipment which is being, or may be, used for the purposes of a particular activity or activities of a particular description”.
Instead, Amendment 158H would insert:
“A targeted equipment interference warrant may be issued only if the persons or equipment to which the warrant relates are named or specifically identified using a unique identifier”,
which could, for example, be the IP address for a particular device. Similar wording in Amendment 158M would apply to targeted examination warrants.
It is worth remembering what targeted examination warrants are for. If, as a result of the bulk collection of the content of overseas communications, the security services discover UK-based communications that they want to examine the content of, they must first have a targeted examination warrant. This is to prevent the bulk collection of the content of communications of UK citizens. How then can it be right that such a targeted examination warrant applies to such a broad range of communications as,
“a group of persons who share a common purpose or who carry on, or may carry on, a particular activity”?
If the security services know that the communication is UK-based, they must also know whose communication it is and can therefore specify that in the warrant.
Subsections (1)(g) and (h) and (2)(d) and (e) of Clause 95 make provision for the issuing of targeted equipment interference warrants and targeted examination warrants for the purposes of testing, maintenance of equipment and the training of people. Amendments 158F, 158G, 158K and 158L would leave out those provisions.
In the first Committee sitting we discussed the issuing of interception warrants for the purposes of testing equipment and training agents, and the noble and learned Lord responded to the debate at cols. 105 and 106. In response to the Minister’s explanation, I said that I was still puzzled about training and testing warrants. I accepted that new equipment required testing and individuals needed to be trained in real-life situations but said that I was concerned about who the individuals or organisations were that might be targeted in these training exercises, bearing in mind that the normal provisions regarding proportionality and necessity in terms of suspicions that these individuals were up to no good would presumably not apply in training and testing situations. If they were real bad guys, a non-testing and training warrant could be issued. The noble and learned Lord failed to convince me then, but perhaps he can try again now.
Amendments 169B and 169T make the necessary consequential changes to the requirements that must be met by warrants in terms of the details that must be included in equipment interference warrants. I beg to move.
My Lords, I listened very carefully to the noble Lord, Lord Paddick, and his explanation of his amendments, but I was not at all convinced. If we believe that there is a need for the Bill, which I do, but have reservations about some of the issues around encryption, we have to ensure that the relevant agencies have some tools in their kit box. One of those tools has to be the ability to interfere with or look at the specific equipment. What the noble Lord is trying to do is to restrict the availability of that power to such an extent that it would effectively become almost useless. It would simply be available if you have one named individual. Therefore surely it is right that a significantly broader power should be available to engage here.
The question that the Minister who is going to respond needs to answer is this: how will the test of proportionality be applied in such cases? Presumably it is not proportionate to have such a broad sweep contained within the authorisation that it is inappropriate and overly onerous. The mechanism is therefore this: how is it determined that this is a proportionate and proper use of the power, and can we and the public be reassured that the mechanisms exist to ensure that that proportionality is adhered to?
I am obliged to noble Lords. I know that these are probing amendments and I shall address them in that light. Of course some of these amendments were discussed in the other place and, as noted, were considered again by this Committee in the context of interception.
Amendments 158D to 158M and 169B to 169T would remove the ability of the warrant-requesting agencies to apply for a warrant against an organisation, a group of persons with a common purpose, or a group of persons carrying out the same activity. They would require a warrant to name or identify each person or piece of equipment to which the warrant relates and they would remove the ability to obtain warrants for testing and training activity. As I have already set out when we considered similar amendments in the context of interception, it is important that those responsible for keeping us safe have the powers they need. These amendments would undermine their ability to employ those powers.
Let me start with the amendments regarding unique identifiers. As I explained in the context of interception warrants, it is not always possible at the outset of an investigation to know or have identified all of the individuals who may be subject to a warrant over the course of that investigation. The example of a kidnap gang applies to equipment interference just as it applies to interception. When a warrant is granted against a gang, the person applying for the warrant may not know that there are four members of the gang rather than three. The ability to grant a warrant against the gang in order to establish its size and to identify co-conspirators is precisely why the Bill provides for thematic warrants. Thematic warrants are already available to the equipment interference agencies under the Intelligence Services Act 1994 and the Police Act 1997 and they are invaluable when investigating complex or fast-moving threats. It is right that the Bill should not undermine their ability to do this.
I would seek to reassure your Lordships that the Bill already provides in Clause 107 that the warrant has to describe the relevant persons, locations, activity or groups and the type of equipment to which the warrant relates in so far as it is reasonably practicable to do so. This is an important safeguard which will assist the oversight of thematic targeted warrants. The Investigatory Powers Tribunal recently considered the use of equipment interference in this way. It determined that,
“a warrant is lawful if it is as specific as possible in relation to the property to be covered by the warrant”,
“it need not be defined by reference to named or identified individuals”.
Let me turn to the amendments that seek to remove the ability to grant a warrant relating to particular subject matters. This was also discussed at some length in the other place and very recently in this Committee, again in the context of interception. Such a change would be operationally damaging and is moreover unnecessary. The Bill and the statutory code of practice impose strict limits on the issue of warrants, including in relation to organisations or groups of persons. I should emphasise that such warrants are not open-ended. Their scope must be sufficiently limited that the issuing authority can properly assess the necessity and proportionality of the interference. Further, under the Bill a judicial commissioner will need to approve the issuing authority’s decision. So the clause does not allow for overly broad warrants to be issued. Moreover, removing the ability to seek warrants against persons carrying out the same activity could prohibit the agencies from, for example, seeking a warrant against individuals accessing a particular website in order to access child abuse images. In such cases it is vital that law enforcement should be able to identify suspects and bring them to justice.
I turn now to the question of testing and training warrants and perhaps I may briefly restate our concerns regarding the amendments to remove the ability to apply for a warrant for testing or training purposes. This would be damaging operationally and would also result in a reduction in safeguards. It is vital that those who are authorised to undertake equipment interference are able to test new equipment and to make sure that those responsible for using that equipment are properly trained in its use. Without the ability to test equipment, we will simply increase the risk of mistakes being made where individuals are not able to receive adequate training in its use. The warrant application process in these circumstances allows the Secretary of State to understand the potential risk that data will be acquired incidentally and to agree the measures to be taken to reduce the risk. Indeed, material obtained under a testing or training warrant must be handled in accordance with the same safeguards as any other material, and that includes that such material must be destroyed when retaining it is no longer required for one of the statutory purposes. I would suggest that appropriate safeguards are already in place.
I will move on now to Amendments 158A to 158C, which refer to Clause 93. Clause 93 sets out the categories of data that may be acquired under an equipment interference warrant. These categories are “communications”, “equipment data” and “other information”. This clause makes it clear that a warrant must specify what categories of data are to be acquired through the proposed interference. Perhaps I may be allowed to explain briefly what each of these categories means and why it is appropriate to set them out in this way. I will begin with “communications”’. The definition is straightforward and appears throughout the Bill, and for Part 5 it is defined in Clause 126. An equipment interference warrant may be authorised to obtain communications that are “at rest”, such as an email saved on a suspect’s hard drive or a text message that is stored on his mobile phone. An equipment interference warrant may not authorise the obtaining of communications in real time, such as the interception of a telephone call; that would need to be authorised under an interception warrant.
“Equipment data” is defined in Clause 94. It comprises data that are typically less intrusive, such as the subscriber identification number associated with a SIM card. In some cases the security and intelligence agencies may need to acquire such data through an equipment interference warrant. Clause 93 allows for a warrant to be issued for this activity, and again this is an important privacy safeguard. It means that some equipment interference warrants will only authorise the acquisition of less-sensitive data.
Finally, the term “other information” reflects the fact that not all of the data that may be acquired through equipment interference will be either communication or equipment data. For example, an illegal image saved on a criminal’s hard drive may not constitute a communication if it has not yet been disseminated via the internet. It is of course vital that the police are able to identify such material in the course of a covert investigation, including through the use of equipment interference techniques. Such data would fall under the heading of “other information”. The proposed amendment seeks to narrow the clause, thus preventing the equipment interference agencies from applying for an equipment interference warrant where the purpose is to acquire “other information”. We consider that such an amendment would be a mistake because of the example that I have just given.
It is right that equipment interference agencies should be permitted to obtain information that does not fall into the categories of either communications or equipment data. It is also vital that the equipment interference agencies are able to fully investigate potential serious crime or national security threats subject to the rigorous safeguards and oversight provided by the Bill. I will reiterate this because, for example, it would severely detract from the equipment interference agencies’ current powers if they were to be prohibited from examining material that a suspected terrorist had hidden on a hard disk simply because the subject had not communicated the information. I hope that assists in explaining “other information”. The term should not be taken to imply that a warrant could be open-ended—that it could authorise the acquisition of data not described in the warrant. As well as describing the category of information that may be obtained under a warrant, Clause 107 makes clear that the warrant must specify the precise conduct to be undertaken, and a warrant for other information is simply one aimed at obtaining data that are not or not only communication or equipment data.
Clause 93 sets out the categories of information that may be obtained through the proposed interference. It envisages that some warrants will be permitted only for the acquisition of less intrusive equipment data. Equally, in some cases, the circumstances may merit the use of techniques to obtain communications or other data from a suspect’s device. That provides a clearer regime than the current statutory framework and indeed, for stronger privacy protections. Accordingly, I invite the noble Lord to withdraw his amendment.
I am very grateful for the lengthy explanation that the noble and learned Lord has provided. However, I still have questions. One of the examples he gave was to be able to interfere with equipment of a group of people who are accessing a particular website. I guess that you would need to know the IP addresses of the devices that were accessing that website to interfere with them, and that would be within the terms of our amendment. I may have lost concentration, and apologise to the Minister if so, but I cannot remember him addressing targeted examination warrants, where presumably the security services—the only ones who would apply for such a warrant—would know the identity of the people. I am still not clear about the need for thematic targeted examination warrants.
The big question that I have around testing and training is: who are the poor innocent people targeted by the warrants used for testing and training purposes? How is it decided who should be targeted? Will the Minister say what that other information is that needs to be specified in the warrant?
I accept that the withdrawal of these powers would be a mistake but, as the Minister acknowledged to begin with, these are probing amendments. I am grateful for the explanations he has given so far. Perhaps he might write to me to deal with my further and more difficult questions, but at this stage I beg leave to withdraw the amendment.
I shall be happy to write to the noble Lord on the three particular points. I do not think that they were the more difficult questions but they may be the ones that I did not fully answer, and I am content to write to him.
Amendment 158A withdrawn.
Amendments 158B and 158C not moved.
Clause 93 agreed.
Clause 94 agreed.
Clause 95: Subject-matter of warrants
Amendments 158D to 158M not moved.
Clause 95 agreed.
Moved by Lord Paddick
159: After Clause 95, insert the following new Clause—“Security, integrity and privacyThe person making an application for a warrant under this Part must make a detailed assessment of—(a) the risk to the security or integrity of systems or networks that the proposed activity may involve;(b) the risk to the privacy of persons not being specifically targeted; and(c) the steps proposed to be taken to minimise these risks.”
That gave me sufficient time. I apologise to the Committee; it has been a long day already. My noble friend Lady Hamwee and I also have Amendments 160 and 169A in this group.
Equipment interference can involve hacking into telecommunication systems or a network by deploying software that could compromise the security or integrity of that system or network, making them vulnerable to attack by not only the forces of good but the forces of evil. It can also expose the communications of everyone using that system or network.
Equipment interference can also involve hacking into someone’s phone or computer so that any communication can be seen by the police or the security services, including messages that are end-to-end encrypted. As the noble Lord, Lord Harris of Haringey, mentioned, that is crucial, particularly as more and more communication is encrypted. Basically, anything that the person sees on the screen of their phone or computer and any information contained on the device, the police or the security services can see as well. This may, however, make the device vulnerable to hacking by others.
Amendments 159 and 160 would include in the Bill safeguards to protect systems and networks, reduce collateral intrusion and ensure that critical national infrastructure is safeguarded by requiring those applying for equipment interference warrants to make a detailed assessment of the risks involved. Amendment 169A is intended to require the judicial commissioner who is asked to approve the warrant to also consider an assessment of the risks, although I am not sure that the wording is entirely right for that amendment. I beg to move.
My Lords, the Committee will get a feeling of déjà vu.
I rise to speak to Amendment 159 and others, and start by acknowledging that equipment interference—hacking, in common parlance—with a person’s computer or phone can be justified by known or suspected threats or by an actual incidence of serious crime. However, I still have two concerns. Some types of hacking pose a risk of serious unintended consequences for the target device and collateral damage to devices connected to it or even whole networks, right up to the national level. My other concern is that in the case of hacking by the police rather than by the security agencies there is a danger that a defence lawyer could, rightly or wrongly, claim that vital evidence located on the target device had been tampered with, so putting a successful prosecution at risk.
There are several known examples of large-scale unintended consequences of hacking by the authorities, and no doubt many more that we do not know about. One example is GCHQ’s attack on Belgacom, Belgium’s largest telecoms company, during 2010 and 2011. It involved infiltrating the home computers of several Belgacom staff to acquire their company passwords. Then highly sophisticated malware was installed on Belgacom’s systems to allow GCHQ to acquire large amounts of data. It cost Belgacom many millions of pounds and a lot of time to clean up its systems. Another example is a test by GCHQ that accidentally closed down an entire mobile network in a major city in this country for half a day. So there is a good case for the extra safeguards in Amendments 159 and 160, which are intended to reduce the risk of equipment interference going out of control, and I support them.
On the subject of the danger of allegations, accurate or otherwise, that the police had contaminated evidence in the device that they subjected to equipment interference, I would be interested to hear the Minister’s views. In the Joint Committee, my concerns were brushed aside by the police witnesses, but surely there is a serious danger that the police will be accused of planting, deleting or amending evidence just as they used to be about slipping incriminating evidence into the defendant’s pocket.
My Lords, as I said earlier in Committee, it is important that, in assessing any proposal made in the Bill, we strike the balance between the need for it and any possible negative consequences, and whether that may weaken the security of a device, enabling the malign elements, as opposed to benign, to penetrate systems. As I understand it, the purpose of the amendment is to try to ensure that that balance is clear in the Bill. It would place an obligation on those seeking warrants and those considering them to look at whether that balance has been struck and ensure that it has.
It is reasonable for those seeking warrants to demonstrate that they have considered whether there are any negative consequences of the action they are prepared to take, particularly if it leads to a weakening of the general security of a wider system that may mean it is prone to attack from cybercriminals or others accordingly, or that there is likely to be a large amount of collateral damage in other people’s information being made available to the authorities.
I make it clear that I do not think the fact that the information of other people who are not the purpose of a warrant may be compromised is necessarily a reason why we should not proceed with this. It should be balanced with the consequences. For example, I can conceive of circumstances where a warrant might be sought for a machine in an internet café. Clearly, that is because certainly individuals are thought to be using it. In any application I would want consideration to be given to what would be done about those other, presumably entirely innocent individuals who might use the same machine.
I am concerned that, as part of the process, there should be consideration of the downsides of a particular application: whether it is weakening the system or interfering with the privacy of other people who are not specifically targeted. If either is the case, there should be clear consideration of what can be done to minimise those risks. The fact that another person is not the subject does not necessarily mean that it should not be proceeded with. It is a matter of proportionality—the benefits that will be gained from the action being taken, and whether that is properly considered by those making the application and those considering whether to approve it. For those reasons, the amendment is broadly helpful. I hope that Ministers may be prepared to accept this or something like it to provide that assurance.
My Lords, I added my name to Amendments 159 and 160. Amendment 164 is in my name and that of my noble friend Lord Rosser. Our points are much the same as those made by my noble friend Lord Harris. I do not think there will be planting of evidence, for example. Our concern is much more about the risk to any public cybersecurity system, and we would want that to be taken into account. These amendments follow the recommendations of the Joint Committee. The idea is to minimise any potential risks. If, for example, the Secretary of State has to take into account any risk to the security and integrity of the networks, that by itself will ensure that any applicant sets that out in the form they submit. We hope the Government will respond, as my noble friend Lord Harris said, not necessarily by using these exact words, but in the spirit of these amendments in order to retain overall security.
My Lords, Amendments 159 and 160 would introduce new clauses requiring the person making an application for a warrant to make a detailed assessment of the risks of the proposed equipment interference activity to any critical national infrastructure, to the security and integrity of systems and networks, and to the privacy of those not targeted. Amendment 164 is linked to the requirement to produce risk assessments and would require the Secretary of State, when issuing warrants to the Chief of Defence Intelligence, to consider the content of these assessments when deciding whether the activity under the warrant would be proportionate. Amendment 169A would require a judicial commissioner to take into account a technical cyber risk assessment, conducted by the Investigatory Powers Commissioner, of the specific equipment interference proposed when deciding whether to approve a decision to issue a warrant.
I start by making an important general point. It seems these amendments are based on a fundamental misinterpretation of what GCHQ and others are here to do. Their role is to protect the public. That includes protecting cybersecurity. Indeed, the Government have invested very considerable resources into improving our cybersecurity efforts. Last November, the Chancellor announced the creation of a new national cyber centre led by GCHQ, with an additional £190 million of funding.
GCHQ has an excellent track record in identifying cyber vulnerabilities and making leading computer companies aware so they can improve their security. For example, in September 2015, Apple publicly credited CESG, the information assurance arm of GCHQ, with the detection of a vulnerability in its iOS operating system for iPhones and iPads, which could have been exploited to allow the unauthorised modification of software and to extract information from the devices. That vulnerability has now been patched.
I appreciate that the noble Lords’ amendments are intended to introduce safeguards, but I contend that sufficient safeguards are already contained in the Bill. Part 5 already requires the Secretary of State or law enforcement chief to consider whether the proposed conduct is necessary and proportionate before issuing a warrant. The Government have provided even more reassurance since the discussion of these same amendments in the other place. As we have frequently reflected, Clause 2 is a new provision that sets out overarching privacy duties. It includes a requirement to have regard to the public interest in the integrity and security of telecommunication systems. This requirement applies to any decision on whether to issue an equipment interference warrant.
The draft statutory code of practice also sets out, in detail, the factors that must be considered in respect of proportionality. The code states at paragraph 3.27 that one element of proportionality that should be considered is,
“explaining how and why the methods to be adopted will minimise the risk of intrusion on the subject and others”.
It goes on to state at paragraph 3.30:
“Equipment interference activity must therefore be carried out in such a way as to appropriately minimise the risk that the activities of the equipment interference agency would result in any increase of the likelihood or severity of any unauthorised intrusion into the privacy, or risk to the security, of users of equipment or systems, whether or not that equipment is subject to the activities of the equipment interference agency”.
If noble Lords will allow me one last quote, paragraph 3.31 states:
“Any application for an equipment interference warrant should contain an assessment of any risk to the security or integrity of systems or networks that the proposed activity may involve including the steps taken to appropriately minimise such risk … The issuing authority should consider any such assessment when considering whether the proposed activity is proportionate”.
An innocent citizen could be the subject of training or testing equipment interference under paragraphs (d) or (e). Are these not legitimate questions to ask on behalf of such a citizen? If it is established that there was a risk, albeit a relatively small one, who will make the judgment that it is reasonable to expose the person, his equipment and his privacy to that risk?
My Lords, I hope the noble Lord will accept that, in the context of training and testing, those activities are essential if we are to have fully functioning services. It should not only be current investigations that are used for training as that could jeopardise operations. Current investigations may not give the full range of testing and training opportunities to prepare staff and equipment for all necessary eventualities. I will write to the noble Lord on the precise procedures involved in authorising testing and training as I do not have the information in front of me. However, appropriate safeguards will be built into those procedures.
I come back to the point I was making about these amendments in general. I contend that they are not necessary because the Bill and the draft statutory code of practice already require that the impact on people’s privacy, including in respect of collateral intrusion and cybersecurity, is properly considered in every single case. The draft codes will, of course, also be subject to parliamentary scrutiny and agreement before they come into force. I hope that those remarks are helpful in reassuring the noble Lord and that he will withdraw his amendment.
I thank the Minister for responding to these amendments. I have to say that I am a little sceptical. Yes, of course, as I think he just mentioned, one part of GCHQ is responsible for improving cybersecurity and identifying vulnerabilities around it. However, the role of another part of GCHQ is to breach cybersecurity in order to access information on terrorists’ and serious criminals’ devices. Indeed, when I was at GCHQ it was accepted that there was a tension between the two parts of that organisation as far as that is concerned.
I am also not convinced that it is absolutely clear and obvious in the Bill that there is a need to consider the unintended consequences of damage to networks or devices. I accept what the noble Earl says about collateral intrusion but not in terms of damage to devices or networks. However, at this stage—
Before the noble Lord decides what to do with his amendment, it might be helpful if I amplify my earlier comments. It is perfectly right to say that some equipment interference operations involve taking advantage of weaknesses, generally in how users are interacting with the internet, but sometimes vulnerabilities in the software or hardware themselves. However, I also contend that the use of equipment interference does not in itself create those weaknesses. While the security and intelligence agencies might on occasion—as I say—exploit such capabilities, they are at the same time committed to making the internet as secure as possible. As I mentioned, the security and intelligence agencies regularly highlight such vulnerabilities to industry.
There is a simple point to be made here. To leave targets open to exploitation by others would increase the risk that their privacy would be unnecessarily intruded upon. It would also increase the risk of those who wish to know who our targets are identifying the security and intelligence agencies’ tools and techniques. Therefore, operations must be carried out in such a way as to minimise that risk. I come back to the point I made near the start of my remarks: the purpose of GCHQ is to protect the public in that sense.
I am grateful to the Minister. While there may be a convoluted route to get to what is proposed in these amendments, if it amounts to the same thing and does the same job with regard to protections around ensuring that privacy is not unnecessarily intruded upon, I see no reason why the Government would resist these amendments. However, at this stage, I beg leave to withdraw the amendment.
Amendment 159 withdrawn.
Amendment 160 not moved.
Amendments 160A and 161 not moved.
Moved by Earl Howe
162: Clause 96, page 73, line 26, at end insert—“( ) The fact that the information which would be obtained under a warrant relates to the activities in the British Islands of a trade union is not, of itself, sufficient to establish that the warrant is necessary on grounds falling within subsection (5).”
Amendment 162 agreed.
Clause 96, as amended, agreed.
Clause 97: Power to issue warrants to intelligence services: the Scottish Ministers
Moved by Earl Howe
163: Clause 97, page 74, line 21, at end insert—“( ) The fact that the information which would be obtained under a warrant relates to the activities in the British Islands of a trade union is not, of itself, sufficient to establish that the warrant is necessary as mentioned in subsection (1)(b) or (2)(b).”
Amendment 163 agreed.
Clause 97, as amended, agreed.
Clause 98: Power to issue warrants to the Chief of Defence Intelligence
Amendment 164 not moved.
Moved by Earl Howe
165: Clause 98, page 74, line 38, at end insert—“( ) The fact that the information which would be obtained under a warrant relates to the activities in the British Islands of a trade union is not, of itself, sufficient to establish that the warrant is necessary as mentioned in subsection (1)(a).”
Amendment 165 agreed.
Clause 98, as amended, agreed.
Clause 99 agreed.
Clause 100: Power to issue warrants to law enforcement officers
Amendment 165A not moved.
Moved by Earl Howe
166: Clause 100, page 75, line 28, at end insert—“( ) The fact that the information which would be obtained under a warrant relates to the activities in the British Islands of a trade union is not, of itself, sufficient to establish that the warrant is necessary as mentioned in subsection (1)(a).”
Amendment 166 agreed.
Clause 100, as amended, agreed.
Schedule 6 agreed.
Clause 101 agreed.
Clause 102: Approval of warrants by Judicial Commissioners
Amendment 167 not moved.
Moved by Earl Howe
169: Clause 102, page 78, line 20, at end insert “, and ( ) consider the matters referred to in subsection (1) with a sufficient degree of care as to ensure that the Judicial Commissioner complies with the duties imposed by section 2 (general duties in relation to privacy).”
Amendment 169 agreed.
Amendment 169A not moved.
Clause 102, as amended, agreed.
Clauses 103 and 104 agreed.
Clause 105: Members of Parliament etc.
Moved by Baroness Jones of Moulsecoomb
169AA: Clause 105, leave out Clause 105 and insert the following new Clause—“Members of Parliament etc.(1) This section applies where—(a) an application is made to the Judicial Commissioner for a targeted equipment interference warrant, or an application is made to the Judicial Commissioner for a targeted examination warrant, and(b) the warrant relates to—(i) communications sent by, or intended for, a person who is a member of a relevant legislature, or(ii) a member of a relevant legislature’s private information.(2) The application must contain a statement that the conduct sought under subsection (1)(a) will cover or is likely to cover material falling within subsection (1)(b).(3) Further to the requirements set out elsewhere in this Part, the Judicial Commissioner may only issue a warrant if—(a) there are reasonable grounds for believing that a serious criminal offence has been committed;(b) there are reasonable grounds for believing that the material is likely to be of substantial value to the investigation in connection to the offence described in paragraph (a);(c) other proportionate methods of obtaining the material have been tried without success or have not been tried because they were assessed to be bound to fail; and(d) it is in the public interest, having regard to—(i) the public interest in the protection of privacy and the integrity of personal data,(ii) the public interest in the integrity of communications systems and computer networks, and(iii) democratic interest in the confidentiality of correspondence with members of a relevant legislature.(4) In this section “member of a relevant legislature” means—(a) a member of either House of Parliament;(b) a member of the Scottish Parliament;(c) a member of the National Assembly for Wales;(d) a member of the Northern Ireland Assembly;(e) a member of the European Parliament elected for the United Kingdom.”
My Amendment 169AA would ensure that applications for targeted equipment interference or targeted examination warrants are granted only on application to a judicial commissioner, removing the role of the Secretary of State. It also applies additional safeguards to the correspondence of parliamentarians when a warrant for hacking is sought. I have held my tongue this afternoon despite listening to some astonishing statements. I will keep my remarks now quite brief. This is not to say that I do not feel a lot of passion for this debate, because I do, but I value your Lordships’ time and so I will be brief.
I feel very strongly that politicians and journalists are not above the law, but politicians have a unique constitutional role, not least in holding the Executive to account. There should be a strong legislative presumption against their surveillance, which should be rebutted only in clear and specific circumstances, overseen only by judicial commissioners, without political involvement, which could have bias. A single process of judicial authorisation ought to exist across the Bill, but in relation to politicians being under surveillance it is imperative to remove any political involvement.
It is illogical to suggest that an adequate replacement for an almost complete prohibition on surveillance of politicians—the Wilson doctrine—is to expressly allow it, needing only the Secretary of State to consult with the Prime Minister prior to authorising interception or hacking. In fact, instead of securing an independent authorisation process, involving two politicians rather than just one makes the process even more political, not less. It is inherent in our democracy that members of the public can correspond with their representatives in private. It is vital that anyone contacting their Member of Parliament and any material that they provide will be handled with confidentiality and sensitivity. This also applies to journalists, of course.
“the protection is not for the benefit of the journalist or the Member of Parliament but for the wider public good”—[
People have to know that they have privacy and confidentiality. Of course, it is also essential that the protections granted to elected representatives are consistent across the different methods of surveillance. John Hayes, who was a Minister quite recently—I am not sure where he is now—said that the Government would consider the issue of consistency across the different methods of surveillance. I beg to move.
My Lords, I do not support the amendment, I fear. I entirely agree with the noble Baroness with regard to the correspondence of Members of Parliament. But the Joint Committee looked at whether Members of Parliament should be under surveillance and it agreed with the recommendations before it; that is, that there should be a double lock at that stage. That is consistent with the whole Bill: it should not only be the Secretary of State who signs a warrant but a judicial commissioner.
During the passage of the Bill in the House of Commons, that was made into a triple lock so that the Prime Minister, who originally was only to be informed of the warrant, now had to approve it as well. That seems to be an extremely wise thing to do. As a Member of Parliament—or a Member of this House or any of the devolved Parliaments and legislatures—who was going to have their communications intercepted, it would be important to know that it went as far as having the Prime Minister, the head of government, involved. Having just a judge doing it goes completely against the spirit of the Bill. The double-lock system is what everybody has said is absolutely the right thing to do. This is now a triple lock and I fear that I cannot support the amendment.
My Lords, I am very glad the noble Baroness has tabled this amendment because it enables us to clarify the extension of the things we were discussing on telephone interception into this area, which the Government are now seeking to ensure is covered in other respects and that the same principles should apply. Having said that, I am inclined to agree with the noble Lord, Lord Murphy, that what is now in the Bill is probably about the best set of safeguards that we could reasonably construct from the very important principle—I agree with the noble Baroness on this—that we should protect the ability of constituents and whistleblowers to contact elected Members to raise matters of concern. They may be matters which affect the very organisations, whether it is the intelligence services or the police, that might seek the power to initiate interception.
The noble Baroness mentioned the Wilson doctrine, which came up earlier. That adds no clarity whatever to the situation but simply obscures it. It is even further complicated now by the fact that the last Prime Minister to make a Statement on the subject is no longer the Prime Minister. It is not even clear that his successor will consider herself bound in any way by what Mr Cameron said on the subject. As I think we teased out in the previous discussion, the Wilson doctrine does not really mean anything now. There is now a statutory basis for considering how to deal with a situation where there are reasonable grounds to believe that a Member of a legislature is involved in very serious crime or associated with terrorism. That is the procedure set out in the clause that the amendment addresses.
That there should be a bizarre principle now that the Government generally have a policy of not using these sorts of powers but will come along to Parliament some day and say, “We’ve changed our minds and now we want to use these powers very widely indeed” just does not make any sense at all. Since no Prime Minister has ever come to the House to satisfy the requirements of the Wilson doctrine—that if government policy changes, you should make such a Statement—the whole thing has become absurd. We should give it a decent burial and satisfy ourselves that the provisions we put in place for governing interceptions of any kind of the communications of a legislator are satisfactory. I am of the view that the clause we have now, following the various interventions that the noble Lord, Lord Murphy, described, is a good basis for doing so.
My Lords, I do not know whether the noble Baroness, Lady Jones, feels that she got an adequate response to her equivalent amendment the other day. I had a look at the Official Report this morning and I thought that it was quite telegraphic—quite brief. So it is understandable that she would raise the matter again in this context. I see that she has expanded subsection (3)(d) with regard to the public interest. On the noble Baroness’s previous amendment on interception, my noble friend Lord Paddick made the point that if ever there was a need for political accountability regarding the target of a warrant, it is when that target is a parliamentarian. He acknowledged the tensions and dilemmas in all this.
I am a member of the Joint Committee on Human Rights, which, when it considered these issues before the Bill had its Report stage in the Commons, expressed concern about the separation of powers, which is what underlies this, at any rate as regards parliamentarians—the need to be able to communicate freely with constituents and others because of the distinction between the Executive and the legislature.
Perhaps I might say a word about government Amendment 173—although not to argue with it. It is about modifications and the Committee knows our concerns about those, but I accept the need to define “designated senior official”. But I wonder about the wording that this is for,
“the purposes of this section”.
Presumably it is also for the purposes of the modification and is case by case. I am not really sure about that but I can see the need for an audit trail. I think that the phrase “designated senior official” is used elsewhere, not only in this clause—I found it in Clause 112(7)—and not only as a senior official designated by a public authority. So I wonder whether there is a need to look at the definition throughout. Of course, the Bill is not really long enough as it is, so maybe we should have additional definitions collated in Clause 236. My principal point is whether there might be some confusion about using the phrase only for the one section.
Since the issue of the Wilson doctrine has been raised, perhaps I could refer to the recent report from the Select Committee on the Constitution. It referred to the Wilson doctrine and made particular reference to a case decided last year, where,
The Select Committee ended that section of its report by saying:
“We note that the surveillance of parliamentarians is a significant constitutional issue and would welcome clarification from the Government of its current understanding of the Wilson Doctrine”.
Do the Government intend to give an indication of their current understanding of the Wilson doctrine, in line with the views expressed in that recent report from the Select Committee on the Constitution?
My Lords, Amendment 169AA would remove the role of the Secretary of State and law enforcement chiefs from the warrant authorisation process, in circumstances where an equipment interference warrant is sought for the purposes of acquiring the communications or private information of a Member of a relevant legislature. This proposal reflects an earlier amendment discussed by this Committee in the context of interception. As I understood her, the noble Baroness, Lady Jones, is concerned that the safeguards contained in the Bill politicise the process of authorising a warrant. I do not share that perspective at all.
As my noble and learned friend Lord Keen said when we first discussed this matter, this amendment would in fact reduce the safeguards for parliamentarians. In line with the commitment given by the previous Prime Minister last November, the Bill provides a triple lock where warrants concern a parliamentarian’s communications or private information: they must be issued by the Secretary of State; approved by the Prime Minister; and authorised by a judicial commissioner. The Bill goes even further in the context of equipment interference warrants issued to law enforcement agencies, which are issued by a law enforcement chief and must be approved by the Secretary of State, the Prime Minister and an independent judicial commissioner.
I will not rehearse the arguments for the double lock at this point, but it is important to remember, as the noble Lord, Lord Murphy, reminded us, that it was endorsed by the Joint Committee of Parliament that scrutinised the draft Bill and, following amendments made in the other place, enjoyed cross-party support. The additional safeguards provided for parliamentarians add an extra layer of checks to the process. I do not share the perception of the noble Baroness, Lady Jones, that the process introduces the risk of political bias. In fact, I find it difficult to see what possible benefit would accrue from removing one of the checks that we now propose—that regarding the Secretary of State or law enforcement chief. In view of that, I respectfully invite the noble Baroness to withdraw her amendment.
I will move on briefly to the amendment tabled by the Government. Amendment 173 is—this answers the question from the noble Baroness, Lady Hamwee—a small, technical amendment that simply corrects the omission of a definition from Clause 114. The amendment adds the appropriate definition of a “designated senior official” to the clause, informing the reader of the persons to whom the provision applies. We do not think that there is any need to revisit the relative definitions in other parts of the Bill, and the amendment does not change how the equipment interference regime operates in any way.
The noble Lord, Lord Rosser, asked about the Government’s view of the Wilson doctrine. As he will be aware, in its judgment of
In February 2015, the Government published an updated draft code of practice on the interception of communications, which explicitly recognised the importance of communications between constituents and their elected representatives. In consequence, the Bill now provides for this in statute by setting out a role for the Prime Minister in authorising warrants which target a parliamentarian. I hope that that is helpful.
I have to ask the Minister to address the Wilson doctrine just to this extent. Given the statutory provision which he and I both now support, what kind of statement does he envisage would be made by a Prime Minister to the House of Commons on the lines first envisaged by Harold Wilson so long ago? How can that possibly be a relevant proceeding now that these statutory provisions will be in place?
My Lords, as I understand it, the Wilson doctrine committed the then Government to returning to Parliament if there was a change of policy. Clearly, now that we are enshrining what I think by common consent is a good formula for protecting parliamentarians, the need for a Government to come back to Parliament to announce a change in policy would have to be followed up, if it were done, by further primary legislation. I cannot envisage that and simply do not foresee that contingency. Through the Bill, we are now in a stronger and clearer position on the protection of parliamentarians and their communications with constituents than we were before.
I thank the noble Lords who have made kind comments, even if they disagreed with me. We are not going to agree on the double or treble lock because, quite honestly, if you have two people from the same background or discipline agreeing with and corroborating each other—whether police chiefs or politicians—I think that there is the possibility of bias and that people outside this Chamber will see that as well.
I have heard several times in our debates the idea that we have to give the security or intelligence services the tools that they need to do the job. Personally, I heard that quite a lot with reference to the Met Police when I was on the Met Police Authority. In fact, while the Met and the intelligence services can be somewhat like a greedy child at Christmas, wanting more and more toys, it was the current Prime Minister who said “Enough” to the police. When the previous Mayor of London, Boris Johnson, wanted water cannon to be used on the streets of London, Theresa May MP said that, no, she would not authorise it. So sometimes you have to say no because it is not the right thing—the right powers or toys to give to a department.
This is a monstrous Bill which, in essence, means the end of privacy for us all. It is very important that we get these things right, so I welcome all the debate that we are having. I beg leave to withdraw the amendment.
Amendment 169AA withdrawn.
Clause 105 agreed.
Clause 106 agreed.
Clause 107: Requirements which must be met by warrants
Amendments 169B to 169T not moved.
Clause 107 agreed.
Clause 108 agreed.
Clause 109: Renewal of warrants
Moved by Earl Howe
170: Clause 109, page 85, line 7, leave out “before the end of the relevant” and insert “during the renewal”
171: Clause 109, page 85, line 42, at end insert—“( ) “The renewal period” means—(a) in the case of an urgent warrant which has not been renewed, the relevant period;(b) in any other case, the period of 30 days ending with the day at the end of which the warrant would otherwise cease to have effect.”
172: Clause 109, page 86, line 14, at end insert—““urgent warrant” is to be read in accordance with subsection (3) of that section.”
Amendments 170 to 172 agreed.
Clause 109, as amended, agreed.
Clauses 110 to 113 agreed.
Clause 114: Approval of modifications under section 110 made in urgent cases
Moved by Earl Howe
173: Clause 114, page 89, line 31, at end insert—““designated senior official” means a senior official who has been designated by the Secretary of State or (in the case of warrants issued by the Scottish Ministers) the Scottish Ministers for the purposes of this section.”
Amendment 173 agreed.
Clause 114, as amended, agreed.
Clauses 115 to 117 agreed.
Clause 118: Implementation of warrants
Amendment 173A not moved.
Clause 118 agreed.
Clauses 119 to 122 agreed.
Clause 123: Duty not to make unauthorised disclosures
Amendments 174 and 175 not moved.
Clause 123 agreed.
Clauses 124 and 125 agreed.
Moved by Lord Paddick
176: After Clause 125, insert the following new Clause—“Authorisations to interfere with property etc.(1) The Secretary of State may by regulations made by statutory instrument amend the Police Act 1997 to provide that authorisations given under it for placing, using, maintaining or retrieving any equipment, apparatus or device which would enable the interception of any communication are subject to approval equivalent to the approval of warrants under this Part.(2) A statutory instrument containing regulations under this section may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament.”
My Lords, Amendment 176 is in my name and that of my noble friend Lady Hamwee. It would insert an additional clause after Clause 125, giving the Secretary of State power to amend the Police Act 1997 in relation to the authority given to law enforcement to place, use, maintain or retrieve,
“any equipment, apparatus or device which would enable the interception of any communication”,
so that such authority is in line with equivalent warrants under this Bill. The wording does not entirely do its job but it is a start. The intention of the amendment is to draw attention to anomalies in the granting of authority to law enforcement officers to intrude into people’s privacy and the need to bring all law enforcement surveillance authorities up to the same standard, as provided by the majority of the Bill.
The reason for there being no double lock involving a Secretary of State in Clause 100 is that the legislation currently used by law enforcement to carry out equipment interference—the Police Act 1997—does not require authorisation by the Secretary of State. This amendment allows the Secretary of State to amend the Police Act 1997 to ensure that similar authority levels apply across law enforcement and the security services, and to other types of intrusive surveillance not covered by the Bill.
As I have said, the Police Act 1997 is the legislation currently used by the police to conduct equipment interference. As the amendment suggests, the powers in the Police Act allow the police to plant tracking devices in cars, for example, and covert transmitting and recording equipment in people’s homes and offices. Under these current powers, a police chief can, without your knowledge or consent, plant a concealed camera or microphone in your home or office without a warrant, without judicial oversight and with no Secretary of State authority. Not only is that unacceptable, it is inconsistent with the Bill.
Noble Lords will be aware that equipment interference warrants issued to the security services are subject to the so-called double lock—the Secretary of State and the judicial commissioner. Clauses 96 and 97, on the power to issue equipment interference warrants to intelligence services, and Clause 98, on the power to issue equipment interference warrants to the Chief of Defence Intelligence, all require Secretary of State and judicial commissioner double-lock authority. Indeed, noble Lords have argued in previous debates on the Bill—and the Government have not demurred—that it is a constitutional necessity that politicians who can be held to account by Parliament authorise warrants. We disagree but the Government cannot have it both ways.
Clause 100, “Power to issue warrants to law enforcement officers”, as drafted requires no Secretary of State involvement whatever. It is the chief of the law enforcement organisation, on application by an appropriate law enforcement officer—one of his own staff—who may issue a targeted equipment interference warrant. This is a significant inconsistency in the Bill. Equipment interference is as intrusive as interception, if not more so, yet the police can self-authorise without Secretary of State involvement. Granted, there is an improvement on the current situation, in that under the Bill a judicial commissioner will have to approve the warrant. However, this is only a single lock in terms of independent oversight, not a double lock as in the case of all other warrants under the Bill. The explanation is that currently, under the Police Act 1997, the police may self-authorise equipment interference.
Either, as we have argued previously in relation to police interception warrants, the judicial commissioner alone should approve law enforcement warrants in crime cases that are not politically sensitive, or Clause 100 must include Secretary of State approval. Whichever course the Government decide to take—double lock in the case of both law enforcement interception and law enforcement equipment interference warrants, or only judicial commissioner approval—surely the current position, whereby the police can bug your office and film covertly inside your home without a warrant or Secretary of State approval, should not be allowed to continue. Hence the need for this amendment.
The wording of the amendment may not be perfect but the intent is now crystal clear. I would be grateful if the Minister provided a reasoned explanation for the anomaly in the Bill. If I may assist the Minister, I would not consider “Because we’ve always done it that way” a reasoned explanation. I would also be grateful if the Minister explained the Government’s view on whether it is right for a police chief to accede to a request from one of his own officers to film covertly inside someone’s home without consent, without a warrant and without Secretary of State approval. I beg to move.
I am obliged to the noble Lord for his suggestion that this is essentially a probing amendment, which he directs at what he perceives as anomalies in the Bill. For reasons that I shall expand on, those anomalies do not exist.
Amendment 176 seeks to introduce a clause that would enable the Secretary of State to make regulations requiring that the authorisation of property interference under the Police Act 1997, where the purpose is to enable the interception of communications, should be subject to the equivalent approval processes as set out under Part 5 of this Bill, including double-lock review by a judicial commissioner. That is how I understand the amendment and the noble Lord indicates his agreement.
It is worth being clear that interception warrants are not issued under the Police Act 1997, but are currently issued by the Secretary of State under Part 1 of the Regulation of Investigatory Powers Act. However, sometimes it may be necessary for intercepting authorities to carry out property interference to enable interception to take place. In these circumstances, the intercepting authority would need to ensure that appropriate property interference authorisation is obtained in addition to an interception warrant.
Clause 14 will restrict the ability of law enforcement agencies to authorise this type of equipment interference under the Police Act 1997. The restriction will mean that where the purpose of the interference is to enable the acquisition of communications, private information or equipment data, the activity can no longer be authorised under the Police Act 1997. As a result, the amendment in question is not required, as it will not be possible to authorise the type of activity it envisages under the Police Act 1997.
In future, if it is necessary to interfere with property to enable interception to take place, the interference with equipment will need to be authorised under Part 5 of the Bill. The Bill and its associated codes of practice make it clear that an equipment interference warrant cannot authorise activity which would constitute live interception of communication in the course of its transmission. As a result, both an equipment interference warrant and an interception warrant will be required.
In practice, this activity is likely to be authorised as a combined equipment interference and interception warrant. Paragraph 3 of Schedule 8 to the Bill enables the Secretary of State to issue such a combined warrant to the relevant intercepting authorities, such as the NCA. This reflects the fact that the Secretary of State is responsible for issuing targeted interception warrants, and the Bill ensures that combined warrants always default to the most senior level of authorisation. Any such warrant would always also go through the double lock of judicial commissioner authorisation.
I hope that reassures the noble Lord that the amendment is not necessary and I accordingly invite him to withdraw it
I thank the noble and learned Lord for what he has said, but I did ask whether he would be prepared to offer an opinion about the deployment of a covert camera into somebody’s home without the need for either Secretary of State or judicial commissioner approval and what, in the Government’s opinion, is the right level of authority. I accept what he says about an interception warrant being required if equipment interference is for the purpose of intercepting communication. However, if it is for the purpose of observing what is going on inside an office or a home, I do not believe that that amounts to interception of communication as such, even though the people who are present in the room are communicating with each other. I do not think that amounts to interception of communication as intended by the Bill.
The other issue that I was hoping the noble and learned Lord could enlighten the Committee on is that equipment interference warrants issued to the security services require the double lock of the Secretary of State and a judicial commissioner, but equipment interference warrants issued to law enforcement do not require that double lock, because a police chief can self-authorise the issuing of such a warrant to such agencies. We have to bear in mind how intrusive that can be. We have already discussed that the equipment interference may not necessarily be in order to intercept communication, and the noble and learned Lord gave the example earlier of looking for a pornographic image on a computer. Despite what he said, it still seems an anomaly that the security services require a double-lock authority and the police do not.
I am not sure to what extent I can respond before the noble Lord sits down, but let me be clear that I do not accept that there is an anomaly, because we are dealing here with two entirely different circumstances that are not directed to the present amendment. As regards a camera being placed in someone’s room, I undertake to write to the noble Lord on that if that will assist him, although it does not appear to me to assist with this amendment.
I am grateful to the noble and learned Lord, who has all the time in the world to add comments until I finally withdraw the amendment. However, I beg leave to withdraw it at this stage.
Amendment 176 withdrawn.
House resumed. Committee to begin again not before 8.25 pm.