My Lords, I rise to speak to Amendment 156A and cite the simple facts about internet connection records. They do not currently exist, would be very difficult and costly to manufacture, have very limited usefulness and collecting and storing them, far from making us safer, would expose everyone in Britain who uses the internet to new and serious risks. In addition, they are highly intrusive into everyone’s private lives and cannot be stored securely by service providers. So it is little wonder, then, that no other western democracy is collecting internet connection records, including the four other members of the “Five Eyes” partnership, the long-standing security alliance between the UK, the USA, Canada, Australia and New Zealand. In fact, the new Australian data retention law specifically excludes the retention of web browsing histories. As for the USA and Canada, David Anderson pointed out in his report that in both countries,
“there would be constitutional difficulties in such a proposal”.
As my noble friend Lord Paddick has already pointed out, Denmark is the only country known to have tried to collect internet connection records—session logs, as they called them. That project was abandoned after a review by the Danish ministry of justice found that it had been of almost no use to the police. The Home Office claims, with some justification, that the proposal in the Bill has some differences from the Danish system but this year the Danish Government came up with a revised scheme that is almost identical to the internet connection records provisions in the Bill. That was promptly abandoned when the prohibitively expensive cost estimates of the Danish service providers were confirmed as accurate by independent accountants. We must ask ourselves: what is it about our country that makes the Government believe that we should be in a stubborn minority of one on this important matter? I hope the Minister will be able to explain it to the Committee.
It is important to understand that internet connection records—ICRs—do not currently exist. Unlike itemised phone bills, which phone companies keep for billing purposes and are the basis of the current communications data regime, communications service providers—CSPs—have no need whatever for ICRs so they do not create or keep them. The Joint Committee heard from many technical and industry experts, including the committee’s two excellent technical advisers, that it would be very far from simple for CSPs to start intercepting these data as they pass through their networks. Each company would have to devise a method suitable for their own systems. They would need to install expensive and complex equipment to carry out “deep packet inspection”, which copies data packets as they fly past on fibre-optic cables. They would then need to process the collected data to find and discard the very large amount of internal housekeeping signals that keep the network healthy but have absolutely no intelligence value. The warnings the committee heard from the service providers about the difficulties of making ICRs happen and their negligible intelligence value echoed what Danish service providers told their Government before they embarked on their ill-fated and wasteful scheme.
However, if some British service providers could do better than their Danish counterparts and succeed in creating internet connection records, it would not make Britons safer; it would make us less safe. I will explain why. The very existence of internet connection records would create more hazards and dangers for the British public than they currently face, and these risks are as good as impossible to mitigate. The first rule of digital security is to not keep any data you do not need because they are all vulnerable. Yet here, we are talking about storing everything that we all do on the internet for 12 months. We should bear in mind that this information would be gold dust to those who would do us harm and would attract the efforts of hackers, blackmailers, criminals and rogue states from around the world. The prize for them would be the details of the private lives of millions of UK citizens: all our personal secrets, including our banking and credit card details; our problems with addiction; our mental and physical health; our sexual proclivities; our financial struggles; our political leanings; our hopes, our worries, our plans—just about everything about our lives.
If the Government attempt to convince themselves and this House that service providers will be able to keep these data safe, they will be deluding themselves and the British public. It is a matter of when, not if, these sensitive data get into the wrong hands. I will explain why. Our service providers make their money from transmitting our data on their way to and from our devices. They are not in the business of storing it securely. The noble Baroness, Lady Harding, who is the chief executive of TalkTalk could, if she were in her place, recount how 156,000 of her company’s customers had their data accessed by hackers last year. In February this year, SWIFT, the interbank financial transaction network, which presumably needs and has much stronger security than service providers, had $81 million stolen in one set of transactions. It would have been much more, but for a simple spelling mistake by the culprits. Canadian police reported in August last year that two clients of the infidelity website Ashley Madison had taken their own lives, following the theft of the personal data of 33 million Ashley Madison customers. Also last year, Chinese hackers stole the details of 4 million US Government employees, including their security clearances.
I could go on but the Committee will be pleased to hear that I will leave it there for now. Suffice it to say that our data are very likely to be hacked and used to steal from us, blackmail us or otherwise harm us and our families. That might happen through a clever cyberintrusion originating in China or North Korea, or in a teenager’s bedroom in Cleethorpes. It may be a disgruntled or greedy insider. It may even be a police officer misusing the proper authorisation channels—and before the Committee discounts that possibility, your Lordships should be aware that over the last five years there were 877 instances of inappropriate data disclosure by police officers to third parties, of which 297 cases resulted in either resignation or dismissal and 70 in a criminal conviction or caution.
The intelligence agencies are clear that they have no need for internet connection records. The policemen who gave evidence to the Joint Committee did not seem to have their hearts in it when they were sent in to bat for ICRs by the Home Office, which has been pushing for this power for years. The new power fails the necessity test. Its usefulness is tiny and its intrusiveness for every citizen is very high, which means that it fails the proportionality test as well. It is technically difficult and very costly to deliver. It opens up a whole new set of risks for innocent internet users, making us substantially less safe, and for all those reasons no other country is doing it. Internet connection records have nothing going for them and should not be part of the Bill.