This amendment seeks to more clearly outline what material may be obtained by hacking.
With this it will be convenient to discuss amendment 382, in clause 88, page 67, line 40, leave out from “6” to end of line 43.
This amendment requires that an examination warrant is required for the examination of all data, removing the exception of equipment data and the broad category of ‘not private information’ which is collected under bulk warrants.
We need to spend some time on this clause, because it is the one that deals with equipment interference under part 5. There are real concerns about the breadth of the clause, which provides for two kinds of warrant: a targeted equipment interference warrant and a targeted examination warrant. Those warrants allow interference with equipment, such as remote—not always remote—interference with equipment with your, my and many other people’s equipment, Ms Dorries, to secure any of the purposes under subsection (2).
The warrants allow others to interfere with our communications data equipment to obtain “communications”, “equipment data” or, to draw attention to subsection (2)(c), “any other information”—to hack into or interfere with equipment to obtain unlimited “any other information”. That is why the amendment seeks to limit subsection (2)(c) to “any other specified data”. In other words, the clause as drafted will in effect allow interference for pretty well any purpose, as long as it is to obtain information from your computer, my computer, my laptop, your laptop and so on. The provisions are very wide.
The equipment interference in subsection (4) includes interfering by
“monitoring, observing or listening to a person’s communications or other activities” or
“recording anything which is monitored, observed or listened to.”
Let us pause there and reflect on how wide the provision is. In terms of invasion of privacy, that will put an incredibly powerful provision in the hands of those who will operate these measures.
I intervene merely because I know that the hon. and learned Gentleman is as much a stickler for accuracy as I am and is perhaps even less prone to hyperbole than me. He will therefore want the Committee to consider the draft code of practice, particularly where it deals with exactly the matters to which he is referring. I will discuss this at greater length than an intervention will allow in a moment, but he will see in the draft code of practice a comprehensive list of qualifications to the breadth that he is outlining.
I am grateful for that intervention. I have been referring throughout to the code of practice and its role. Consistent with the in-principle argument I have been making, the Bill and the code serve different functions. I understand the argument that a code is one way not only to give more detail to the provisions in the Bill, but to future-proof it. In other words, a code allows an approach that can be changed without amending the legislation.
As a matter of principle, though, I argue that where limits are to be put on the exercise of the power, and thus important safeguards are in place, they should be in the Bill. What should be resisted is a wide and generalised power in the Bill that finds constraint and limitation only in the code of practice. The extent of these powers should be set out in the Bill. The code of practice is the place for more detailed provision—provision that may change over time—and other obvious future-proofing techniques; it is not the right place for the limitations themselves.
Moving on, consistent with the earlier clauses on warrants, subsection (5) allows conduct in addition to the interference itself in order to do what is expressly authorised or required and any conduct that facilitates or gives effect to the warrant. I now want to take a bit of time on subsection (6).
Given the hon. and learned Gentleman’s desire to move on, and so that he can do so with greater velocity, let me be absolutely clear that the clause would not allow warrants to be issued without the information being sought being specified.
I am grateful for that intervention. It is helpful to have such matters on the record so that others can follow how the clauses are intended to operate.
Returning to subsection (6), one of the welcome measures in the Bill is that clause 3(4) makes it clear that, when a communication is intercepted, interception includes the communication at
“any time when the communication is stored in or by the system”.
I know that sounds very technical, but it became a real issue in a number of cases in which the question was whether a voicemail that was accessed once it was on a voicemail machine was in the course of its transmission. If the answer to that was no, there was nothing unlawful about retrieving it, listening to it and publishing it. A lot of time and energy went into the interpretation of the relevant clause. One of the advantages of the Bill is that clause 3 spells out in no uncertain terms that communications are protected if they are intercepted in the course of transmission, including if stored either before or after transmission. That protects any communication, sent to us or anybody else, which is either listened to at the time or not, but is later stored either in a voicemail, on a computer or in any way. We all store communications all the time; it is very rare that they exist only in real time. That is a step in the right direction.
We then get to clause 88(6):
“A targeted equipment interference warrant may not, by virtue of subsection (3), authorise or require a person to engage in conduct, in relation to a communication other than a stored communication”.
It protects the communication and excludes its content from this part—I think that is the idea—but only half does the job and leaves quite a gap, in my view. We get back to the same problem. If there is equipment interference to obtain a communication, that communication would be protected from one of these warrants as long as it is in the course of its transmission. If it has arrived, it is not. If I am wrong about this I will stand corrected, but all of the good that was done by amending clause 3 will be undone by clause 88; the same ends could be achieved by using an equipment interference warrant, namely obtaining by interference a communication that is in the course of its transmission, either before or after it is sent.
I am grateful to the hon. and learned Gentleman for his humility in suggesting that he would stand corrected; I now stand to correct him. An equipment interference warrant would not allow interception of real-time information of the kind that he describes. He is right that to intercept that kind of information would require a different process, as we discussed earlier in our considerations. If further explanatory notes need to be made available to provide greater clarity about that I am more than happy to do so. I will talk more when I respond, before you rightly chide me for going on for too long, Ms Dorries.
I am grateful to the Minister. If he could point to the provision that makes good the submission he has just made, then that will deal with this particular point. Just to be clear, subsection (6) is intended to ring-fence and exclude from one of these warrants communications the interception of which would
“constitute an offence under section 2(1)”,
but only in relation to communications in the course of their transmission in the real sense of the term, not including those that are “stored”. I put on the record—if this is capable of being answered, so be it—that “stored” in subsection (6) has the same meaning as in clause 3, which is intended to include stored communications within the prohibition. I will not take it any further; the Minister has my point, which is that one would expect subsection (6) to protect the same content that is expressly protected by clause 3(4), but it does not—unless he or somebody else can point to another provision that adds to subsection (6), though that would be an odd way of doing it.
I will move on. Subsection (9) defines targeted examination warrants. This is important because subsections (1) to (8) deal with targeted equipment interference warrants—warrants issued in a targeted way; the targeted examination warrant deals with examining material obtained by way of a bulk warrant. It therefore serves a different purpose. Subsection (9) is an extremely wide provision:
“A targeted examination warrant is a warrant which authorises the person to whom it is addressed to carry out the selection of protected material…in breach of the prohibition in section 170(4)”.
To understand that, we need to turn to section 170(4), which raises questions that relate to an argument I made earlier on another, not dissimilar, provision. It states:
“The prohibition…is that the protected material may not…be selected for examination if (a) any criteria used for the selection of the material for examination are referable to an individual known to be in the British Islands at that time, and (b) the purpose of using those criteria is to identify protected material consisting of communications sent by, or intended for, that individual or private information relating to that individual.”
That is intended to give protection to individuals known to be in the British islands, by placing limits on the examination of their material: in relation to their material or their communications one needs a targeted examination warrant to get around the prohibition in clause 170(4). The point I make here is similar to the point that I made before: this is temporal. Whether a person is in the British islands or not depends on where they are physically. I am protected so long as I am in the British islands, but I fall out of protection—as would everybody else—the moment I leave them, whether I am leaving for a day, a week, a month or a year. That is a real cause for concern, as is the wide definition of protected material that immediately follows in clause 88(9); amendment 382 would limit the extent of that definition by stopping the clause after the words “Part 6”, which are on page 67, line 40, of the draft Bill.
In conclusion, this is a very wide-ranging clause, and it contains insufficient safeguards—if there are safeguards, they should be in the Bill. There are questions on subsections (6) in (9), taken in conjunction with clause 170(4), that the Minister will have to deal with.
I rise to support the hon. and learned Gentleman in his submissions on these two amendments. As we have just reached part 5, I want to take the opportunity to make some general comments on it. Powers to conduct equipment interference—or “hack”, which is the more generally used term—are new; they do not exist in any previous legislation. They therefore require significant scrutiny, by the Committee and by parliamentarians generally, before they are added to the statute book. By its very nature, hacking is an extremely intrusive power, because it grants the authority to see all past and future information and activity on a computer or other device. Beyond the implications for privacy, the potential ramifications for the whole country’s cyber-security and for fair trials mean that hacking should be used only as a tool of last resort. The SNP’s position is that stronger protections must be added to the Bill.
As the hon. and leaned Gentleman has already explained in his characteristically succinct way, the powers afforded by clause 88 are extremely wide. Even with these amendments, this part of the Bill contains very wide powers. Warrants can last for up to six months and can be renewed potentially indefinitely. The warrant applications will be subject to what we argue is a weak system of judicial review. The warrants for interference can be modified by Ministers without the approval of a judicial commissioner, and a modification can include changing the name, descriptions and scope of the warrant. Chief constables are required to have their decisions to modify warrants reviewed by a judicial commissioner unless they consider the modification to be urgent.
Hacking is potentially very intrusive. It is more damaging than other forms of traditional surveillance, such as bugging and the interception and acquisition of communications data. Uniquely, hacking grants the hacker total control over a device. Phones and computers can be turned on or off, their microphones and cameras can be activated, and files can be added or deleted, all of which can be done without the fact of the hack being known or knowable to the target.
The potential for the intrusiveness of hacking is intensified in the digital age, when our computers and mobile devices have replaced and consolidated our filing cabinets, photo albums, video archives, personal diaries, journals, address books, etc. Devices may contain not only details about the user’s personal circumstances, age, gender and sexual orientation but financial information, passwords and possibly privileged legal information. Hacking is perhaps more comparable to searching a house than to intercepting.
With hacking come considerable security concerns. When malware is deployed, there is often a risk of contagion, both overseas and at home. We have seen many examples of that internationally in recent years. We as parliamentarians should consider the cost of widespread hacking by the authorities. Hacks create and maintain permanent vulnerabilities that can be exploited by criminal elements. For example, to use colloquial language, if the good guys hack into a device, it makes it easier for the bad guys to hack in after them. We are all well aware of the risks and costs of cybercrime to the British economy.
Hacking also has repercussions for fair trials. Because hacking, by its nature, can require the alteration of the content on a target device or network, new questions are raised about the potential for electronic surveillance to undermine the integrity of a device or material located on a device that could later be sought to be used in evidence in a criminal or a civil trial. At present, there is no specific regulation of the use of hacking product in criminal trials, and none has been presented in the Bill or the code of practice.
Liberty and Justice, among others, suggested that in recognition of the unique potential of hacking capabilities and to avoid future miscarriages of justice and collapsed trials, the Bill should contain proposals to ensure audit trails and police disclosure where prosecutions result from investigations that have utilised hacking capabilities. That is in all of our interests so that we can fairly and effectively try those who subsequently turn out to be guilty.
Any amendments that the SNP table to part 5 of the Bill are against the background of those concerns. It is because of them that I support the hon. and leaned Gentleman’s arguments in support of amendments 381 and 382.
As the shadow Minister said, part 5 of the Bill is very important. It deals with equipment interference. He is right to say that equipment interference is, by its nature, quite a radical technique—I will explain that in a few moments—but of course it is for a purpose. It fulfils a proper function and allows those missioned to keep us safe to do so by means of the exercise of that power.
Let me deal with the hon. and learned Lady first. I thought that her contribution—I say this kindly because, despite all of my instincts, I cannot help liking her—[Interruption.] Someone said “saintly instincts”. I would not go as far as to say “saintly”; I would say “wholesome instincts”. I thought that her speech exemplified the curious cocktail at the heart of Scottish nationalism: a mix of paranoia and assertiveness.
I have two things to say in response to her. First, these powers are not new; they already exist in the Intelligence Services Act 1994 and the Police Act 1997. Secondly, the exercise of those existing powers has been scrutinised. They are particularly used by GCHQ.
Order. There is a Division in the House. We will suspend for 15 minutes, or 25 if there are two. Be back as quickly as you can if there are three.
Having characterised the Scottish National party in a vivid and, in some people’s view, slightly too generous way, I will move on to the specifics of what the hon. and learned Lady said. She is right that there need to be important safeguards in respect of equipment interference. I do not think that there is any difference between us on that. She is right that GCHQ’s use of equipment interference powers—although they are more widely available, it is GCHQ that uses them particularly—are central to its purpose and of course must be lawful. She will be pleased to know that the Investigatory Powers Tribunal found them to be just that when it looked at the matter as recently as February of this year. Of course it is right, given the radical character of those powers, that we put in place all the right checks and balances. One might say that transparency and stronger safeguards are part of what the Bill is defined by.
It is important to emphasise in that context the draft codes of practice, which I drew attention to in a brief intervention on the hon. and learned Member for Holborn and St Pancras. They are clear in two respects. I draw attention first, in general terms, to part 8 of the draft code of practice on equipment interference, which deals with handling information, general safeguards and so on, and secondly to the specific areas covered in part 4.10, which lists an extensive series of requirements for the information that a targeted equipment interference warrant should contain. I will not go through them exhaustively, Ms Dorries, because that would please neither you nor other Committee members. Suffice it to say that such a warrant should contain details of the purpose and background of the application, be descriptive and clearly identify individuals where that can be done. Those requirements also necessitate an explanation of why equipment interference is regarded as essential and refer to conduct in respect of the exercise of such powers, collateral intrusion, and so on. They are pertinent to the consideration of the clause.
There is always, as I predicted there would be in this case, a debate in Committee about what is put in the Bill and what is put in the supporting material. As you will be familiar with, Ms Dorries, having been involved in all kinds of Committees over time, Oppositions usually want more in Bills and Governments usually want more flexibility. Perhaps that is the nature of the tension between government and opposition. I have no doubt that were the Labour party ever to return to Government, the roles would be reversed; we would be the ones saying, “More in the Bill,” and that Labour Government would probably be arguing for more flexibility. The truth lies somewhere between the two: of course it is important to ensure that there is sufficient in the Bill both to ensure straightforward legal interpretation and to cement the safeguards and protections for which the hon. and learned Gentleman rightly calls, but in achieving those ends one must always be careful that specificity does not metamorphose into rigidity. Where we are dealing with highly dynamic circumstances, changing technology and, therefore, changing needs on the part of the agencies and others, rigidity is a particular worry.
In the Bill as a whole, and in this part of the Bill, we have tried to provide sufficient detail to provide transparency, navigability and a degree of resilience to legal challenge while simultaneously providing the flexibility that is necessary in the changing landscape. That is why the codes of practice matter so much, particularly in respect of this clause and these amendments, and it is why the codes of practice have changed in the light of the consideration of the Joint Committee of both Houses, and others. It is also why I predict—I put it no less strongly than that—that the codes of practice will change again as a result of the commentary that we have already enjoyed in Committee and will continue to provide over the coming days.
The need for equipment interference could not be more significant, and I will explain what it comprises. Equipment interference is a set of techniques used to obtain a variety of data from equipment that includes traditional computers, computer-like devices—such as tablets, smartphones, cables, wires—and static storage devices. Interference can be carried out remotely or by physically interacting with the equipment. Although equipment interference is increasingly important for the security, intelligence and law enforcement agencies, it is not new. Law enforcement agencies have been conducting equipment interference for many years, and I described the legislative basis for that in response to the hon. and learned Member for Edinburgh South West. It is probably fair to say that equipment interference is likely to become still more important as a result of the effect that changes in technology are having on other capabilities. I do not want to overstate this, but encryption, for example, is likely to make equipment interference more significant over time.
I will amplify the clarity with which I delivered my advice to the hon. and learned Member for Holborn and St Pancras. Warrants cannot be issued without specifying what information is being sought, and on that basis it is hard to see why clause 88 should be amended. Chapter 4 of the code of practice states:
“An application for a targeted equipment interference warrant should contain… A general description of any communications, equipment data or other information that is to be (or may be) obtained”.
Together, the provisions provide the issuing authority with the information it needs to assess an application and with the power to constrain the authorised interference as it sees fit on a case-by-case basis. Amendment 382 would extend the requirement to obtain a targeted examination warrant to circumstances where the agencies need to select for examination the equipment data and non-private information of an individual who is known to be in the British islands. I tend to agree with the argument made by the hon. Member for City of Chester in an earlier sitting of the Committee that it is right that there are particular provisions for UK citizens in what we do in this Bill, rather than with the argument made by the hon. and learned Member for Edinburgh South West.
I just want to clarify my concern, because I think the Minister just said, “UK citizens”. I understand that the distinction is made between UK citizens and others. My concern about this provision is that, whether someone is a citizen or not, if they are physically outside of the British Isles they fall outside the protection. That has been my driving concern, or one of my driving concerns, here. There may be a good reason for this and there may be a longer explanation for it, but I was surprised to see in the Bill that the protection was not to British citizens or to some other description of people with the right of residence in this country, but in fact depends on whether someone is physically in the country or not. On my understanding, I lose the protection that is provided by this Bill in this and other provisions if I go to France for a short period of time.
To be fair to the hon. and learned Gentleman, the Bill refers to people within “the British Islands”, so he is right, and there are very good reasons why enhanced safeguards should apply for the content of people in the UK. As he implied, we explored these issues in an earlier part of the debate.
I will conclude, but I want to do so on the basis of clarifying this matter, too. The subsection that the hon. and learned Gentleman described earlier makes it clear that when a warrant for equipment interference is used to examine a phone, the police can look at all data on the phone, including text messages, but not in real time. I wonder whether there has been a misunderstanding or misapprehension about this issue—either a mis- understanding about the meaning or misapprehension about the purpose.
I repeat this solely for the sake of convincing the hon. and learned Gentleman and others that we are doing the right thing. These are important powers with stronger safeguards with absolute determination to be clear about legal purpose; they can only be used when necessary and can only be used lawfully. They are fundamentally not new but a confirmation of what is already vital to our national interest and to the common good.
I am grateful to the Minister for taking us through in some detail how the clause is intended to work with the code of practice. I reiterate my point that the essential safeguards should be in the Bill. Amendments 381 and 382 would not delete the provisions in clause 88; they would tighten the provisions in clause 88, and I intend to push both of them to a vote.
Amendment proposed: 382, in clause 88, page 67, line 40, leave out from “6” to end of line 43.—(Keir Starmer.)
This amendment requires that an examination warrant is required for the examination of all data, removing the exception of equipment data and the broad category of ‘not private information’ which is collected under bulk warrants.