Maintenance of technical capability

Investigatory Powers Bill – in a Public Bill Committee at 5:00 pm on 3 May 2016.

Alert me about debates like this

Amendment proposed: 845, in clause 217, page 167, leave out lines 20 and 21 and insert—

“(1) The Secretary of State may, following approval by a Judicial Commissioner that the notice is justified, practicable, necessary and proportionate, give a relevant operator a notice (a “technical capability notice”)”

This amendment would require judicial authorisation for Clause 217 and bring the clause in line with other provisions within the bill that require judicial authorisation.—(Keir Starmer.)

Question put, That the amendment be made.

The Committee divided:

Ayes 7, Noes 9.

Division number 125 Christmas Tree Industry — Maintenance of technical capability

Aye: 7 MPs

No: 9 MPs

Aye: A-Z by last name

No: A-Z by last name

Question accordingly negatived.

Amendment proposed: 855, in clause 217, page 167, line 20, after “State”, insert “following approval by a Judicial Commissioner”.

This amendment would require judicial authorisation for technical capability notices. This would also extend the “double lock” standard that is set in other parts of the Bill.—(Keir Starmer.)

The Committee divided:

Ayes 7, Noes 9.

Division number 126 Christmas Tree Industry — Maintenance of technical capability

Aye: 7 MPs

No: 9 MPs

Aye: A-Z by last name

No: A-Z by last name

Question accordingly negatived.

Photo of Keir Starmer Keir Starmer Shadow Minister (Home Office)

I beg to move amendment 846, in clause 217, page 168, line 8, at end insert—

‘(4A) A notice may not impose upon the relevant operator any obligations relating to the removal of electronic protection applied by or on behalf of that operator to any communications or data unless the relevant operator or a person acting on its behalf retains the technical ability to remove the electronic protection from such communications or data.”

This amendment would provide clarity and legal certainty for industry that the Government will not require back doors to be installed into products and services, is not seeking to weaken or restrict the use of encryption and that companies cannot be required to remove encryption if they do not have the means to do so at their disposal.

With this it will be convenient to discuss the following:

Amendment 847, in clause 217, page 168, line 16, at end insert—

“(e) persons generally held to be representing users and privacy interests in order to assess the impact of any such Regulations on users.”

This amendment would ensure that privacy protections form an overarching part of the Bill and apply across the full range of investigatory powers afforded to the security services.

Amendment 848, in clause 217, page 168, line 24, leave out subsection (8) and insert—

“(8) A technical capability notice may only be given to persons outside the United Kingdom (and may require things to be done, or not to be done, outside the United Kingdom) where it would not cause the person to act contrary to any laws or restrictions under the law of the country or territory where it is established, for the provision of services.”

This amendment would remove all provisions within the Bill that have extraterritorial reach and undermine the long term objective of creating a long term, international framework for law enforcement to gain access to data held overseas and resolves conflict of laws situations that may otherwise arise by providing the Secretary of State with the power to serve such notices without having to take account of domestic legal obligations to which the recipient is subject.

Amendment 857, in clause 217, page 168, line 30, at end insert—

“(11) A person shall not be liable to have a technical capability notice served on him in accordance with regulations under this section by reason only that he provides, or is proposing to provide, to members of the public a telecommunications service the provision of which is or, as the case may be, will be no more than—

(a) the means by which he provides a service which is not a telecommunications service; or

(b) necessarily incidental to the provision by him of a service which is not a telecommunications service.”

This amendment would exclude (under powers in RIPA section 11(4)) those services that have a communications element, but are primarily not a communication service. This limits the very broad range of “telecommunication services” that could be required to build a technical capability under this Part.

Amendment 849, in clause 218, page 168, leave out lines 37 and 38, and insert—

“(3) Before giving a relevant notice, the Secretary of State must provide evidence that the notice is justified, necessary practicable and proportionate, having, among other matters, taken into account—”

Amendment 850, in clause 218, page 168, line 45, at end insert—

“(f) the effect on the privacy and human rights of people in the United Kingdom and outside the United Kingdom”

Amendments 848 to 850 would make explicit the requirement on the Home Secretary to justify the use of a power as intrusive as a technical capability notice. It will also require the Home Secretary to take account of the full effects of such a notice, particularly on people and companies based overseas.

Amendment 858, in clause 218, page 169, line 7, leave out—

“A technical capability notice may be given to a person outside the United Kingdom” and insert—

“Where a technical capability notice is to be given to a person outside the United Kingdom, the notice shall be served at that person’s principal office outside the United Kingdom where it is established, for the provision of services. Where it is considered unfeasible or inappropriate in the circumstances”

This amendment would require that a UK agency would only serve a notice on an overseas entity that is capable of providing assistance under the warrant.

Photo of Keir Starmer Keir Starmer Shadow Minister (Home Office)

This important clause is causing a great deal of concern to operators that may be called upon to comply with a notice. The clause provides for a power to be vested in the Secretary of State to give a relevant operator a technical capability notice

“imposing on the relevant operator any applicable obligations specified in the notice,” and

“requiring the person to take all the steps specified in the notice for the purpose of complying with those obligations”.

That is a very wide power, and the concern is about the extent of it. In a moment, I will refer to the code of practice, which sets out some of the capabilities that might be required.

It is clear that the power includes taking steps relating to encryption. I say that for two reasons. Subsection (4) lists in paragraphs (a) to (e) the obligations that may be specified in regulations. They include obligations

“to provide facilities or services of a specified description” and obligations relating to

“apparatus owned or operated by a relevant operator” or to

“the removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data”.

That is clearly veering into encryption. Obligations may also relate to

“the security of any postal or telecommunications services provided by a relevant operator” or

“the handling or disclosure of any information.”

If one reads ahead, clause 218(4) deals with further provisions on notices under clauses 216 and 217, stating:

“Where the relevant notice would impose any obligations relating to the removal by a person of electronic protection applied by or on behalf of that person to any communications or data, in complying with subsection (3) the Secretary of State must in particular take into account the technical feasibility, and likely cost, of complying with those obligations.”

The concern of many who might be called upon to comply with the obligations is about the wide-ranging nature of the power.

This also goes deep into the debate about encryption. It is absolutely clear that a notice could require protection to be removed, and the clause envisages that being the case. That becomes clearer when one reads the “Interception of Communications” draft code of practice from chapter 8 onwards. If one reads paragraphs 8.1 to 8.94, one sees what is in fact a power that allows the Secretary of State, through this mechanism, effectively to take control of a capability of a service provider. Paragraph 8.1 states:

“The purpose of maintaining a technical capability is to ensure that, when a warrant is served, companies can give effect to it securely and quickly. Small companies (with under 10,000 users) will not be obligated to provide a permanent technical capability”.

Paragraph 8.3 then lists the wide range of obligations that can be imposed in a notice under this clause.

Paragraph 8.4 of the draft code states:

“An obligation placed on a CSP to remove encryption only relates to electronic protections that the company has itself applied to the intercepted communications (and secondary data), or where those protections have been placed on behalf of that CSP, and not to encryption applied by any other party.”

That is very important provision, which I think I am right to say was clarified as a result of a recommendation from prelegislative scrutiny. The difficulty—I am anticipating the discussion we are about to have—is that this crucial issue is dealt with in the code of practice and not in the Bill. The concern expressed in the evidence given to the various prelegislative bodies and to the Committee was that companies will be obliged to remove the protections in their own systems. Paragraph 8.4 is of some comfort to them because it makes it clear that the obligation would only relate

“to electronic protections that the company has itself applied” and not to other encryption—but the real problem is that paragraph 8.4 is in the code of practice and not in the Bill. That needs to be rectified. We cannot leave something as important as that in the code of practice. It goes to the heart of the power in the clause. It is far and away the biggest cause for concern among CSPs, yet it is not dealt with in the Bill. The Bill provides for a permissive, rather than a restrictive, regime—if I am wrong about that, I will happily take an intervention.

Paragraph 8.6 of the code of practice clarifies that:

“While an obligation to remove encryption may only relate to protections applied by or on behalf of the company…there will also be circumstances where a CSP removes encryption from communications for their own business reasons. Where this is the case, an intercepting agency will also require the CSP, where applicable and when served with a warrant, to provide those communications in an intelligible form.”

The code then makes provision for giving a notice, for the disclosure of technical capability notices, and for their review and variation. Paragraph 8.27 and 8.28 are very wide-ranging. Paragraph 8.28 states:

“CSPs subject to a technical capability notice must notify the Government of new products and services in advance of their launch, in order to allow consideration of whether it is necessary and proportionate to require the CSP to provide a technical capability on the new service.”

That goes deep into territory hitherto unregulated in this way; CSPs will be required to give the Government notice of their new products and services, so that the Government can consider whether to vary a notice that already applies to them. We can see why the service providers are so concerned about that capability.

Pressing on through the code of practice, we see that the contribution of costs for the maintenance of a technical capability is dealt with from paragraph 8.43. Again, these provisions give an indication of the breadth of the capability covered by the clauses of the Bill. Paragraph 8.43 states:

“Section 213 of the Act recognises that CSPs incur expenses in complying with requirements in the Act, including notices to maintain permanent interception capabilities under Part 9. The Act, therefore, allows for appropriate payments to be made to them to cover these costs.”

In a sense, the requirement for CSPs to give notice when they have new or different services and to maintain permanent interception capabilities when they would not otherwise do so means the taking control of their services for the purposes of the Act.

The code of practice continues, at paragraph 8.46:

“Costs that may be recovered could include those related to the procurement or design of systems required to intercept communications, their testing, implementation, continued operation and, where appropriate, sanitisation and decommissioning.”

That, again, is an indication of just how wide these powers will be. Paragraphs 8.51 to 8.53 deal with the power to develop compliance systems, suggesting that,

“In certain circumstances it may be more economical for products to be developed centrally, rather than CSPs or public authorities creating multiple different systems” and stating that clause 214 provides the Secretary of State with that power. Paragraph 8.53 is the inevitable conclusion of that, stating:

“Where such systems are developed for use by CSPs, the Government will work closely with CSPs to ensure the systems can be properly integrated into their networks”, which is the option of ensuring that the CSP itself develops and maintains the capability. If not, the Secretary of State can do so and then there will inevitably be a requirement to integrate that capability into existing networks, and so on and so forth. That is why, although the detail of paragraphs 8.1 to 8.94 is welcome, it is the clearest evidence one could get of the breadth of the powers.

Amendment 846 would

“provide clarity and legal certainty for industry that the Government will not require back doors to be installed into products and services, is not seeking to weaken or restrict the use of encryption and that companies cannot be required to remove encryption if they do not have the means to do so at their disposal.”

The amendment is intended to deal with the concern of service providers about how the clause would apply to encryption. Amendment 847 would add a requirement to take into account privacy interests. I will not press that amendment to a vote and I will not spend time on it now, because to some extent it is probably overtaken by the overarching privacy provisions, which we will deal with later in a new clause.

Amendment 848 is self-explanatory. There is a continuing concern among service providers about obligations being imposed on them that would put them in breach of the law, or a restriction under the law, in the country or territory in which they are operating. The intention behind the amendment is to remove that conflict by ensuring that no obligation under clause 217 would

“cause the person to act contrary to any laws or restrictions under the law of the country or territory where it is established, for the provision of services.”

Amendment 857 would deal with a sub-clause of service providers by excluding

“those services that have a communications element, but are primarily not a communication service. This limits the very broad range of ‘telecommunication services’ that could be required to build a technical capability under this Part.”

Amendment 849 is probably the most significant of this group of amendments, as it would insert a new requirement into clause 218:

“Before giving a relevant notice, the Secretary of State must provide evidence that the notice is justified, necessary practicable and proportionate”.

It then lists what must be taken into account. I pause there because it is significant that clause 217 is not subject to a necessity and proportionality test. It is subject to a reasonableness test. Clause 217(3) shows that there is no need for the Secretary of State to show necessity or proportionality.

Interestingly, when it comes to variation in clause 219(4), as far as the national security notice is concerned, there is a requirement to demonstrate proportionality. The amendment would build in a new test to be applied under clause 217. Finally, amendment 858 is our old friend “service outside the jurisdiction”, which I have rehearsed already.

Photo of Joanna Cherry Joanna Cherry Shadow SNP Westminster Group Leader (Justice and Home Affairs) 5:15, 3 May 2016

I respectfully support everything that the hon. and learned Gentleman has said.

Photo of Robert Buckland Robert Buckland The Solicitor-General

In arguing in opposition to the amendments, I first want to address the last point that the hon. and learned Member for Holborn and St Pancras made. I can come back to his point about the tests, but in a nutshell, they are inherent to the Bill. The tests of necessity and proportionality are part and parcel of the decision-making process that the authority will be enjoined to carry out.

Photo of Keir Starmer Keir Starmer Shadow Minister (Home Office)

It is noticeable that, for obvious reasons, necessity and proportionality have been written into relevant clauses throughout the Bill, but here, I think for the first time, we have a wide-ranging power with no such test—unless I have missed it, in which case I will happily concede the point.

Photo of Robert Buckland Robert Buckland The Solicitor-General

In strict terms, the hon. and learned Gentleman is right—I am looking at clause 218 in particular. I think that subsection (3) might help him, because although we do not have the words “necessity” and “proportionality” there, the matters to be taken into account lead one to conclusions based on necessity and proportionality, and perhaps do so in a more prescribed way that is more helpful to the decision maker. Subsection (3)(a) to (e) addresses the hon. and learned Gentleman’s point, and I put it clearly on the record that the principles of necessity and proportionality are part and parcel of the tests to be applied.

I also note that necessity is required under clause 217(6), which relates to the steps specified in a technical capability notice. I do not know whether that helps the hon. and learned Gentleman. I will certainly consider the issue carefully, but on the face of it, I do not think there is a worry of the sort that he envisages.

Photo of Joanna Cherry Joanna Cherry Shadow SNP Westminster Group Leader (Justice and Home Affairs)

The Intelligence and Security Committee described the clause as a

“seemingly open-ended and unconstrained power”.

Does the Solicitor General not agree that it is therefore essential that the tests of necessity and proportionality are spelled out in the clause, as they are in other parts of the Bill?

Photo of Robert Buckland Robert Buckland The Solicitor-General

I hear the hon. and learned Lady, but I am not convinced that the basis of her argument is right given the breadth of the power. As I said in the context of national security notices, the technical capability notice is only a preliminary step. It will allow the subsequent implementation of warrant, which will then be subject to the tests of necessity and proportionality. I would not want the Committee to operate under a misapprehension. It is my strong, and I hope clear, assertion that we are dealing with an earlier stage of the process, so we should not be driven to the conclusions that I know critics of the Bill want us to reach.

May I deal with encryption, which, as the hon. and learned Gentleman rightly characterised, is at the heart of the matter? I put it on the record that the Government recognise the vital importance of encryption. It has become part of our daily lives. It keeps our personal data and intellectual property secure and ensures safe online commerce, and the Government work closely with industry and business to improve their cyber-security. I can reassure the Committee that in the preparation of the code of practice, there has been close consultation with the interested parties in the industry to ensure that it comprehensively reflects the realities and needs of those who operate in this sphere. Not only does the code of practice replicate the provisions of RIPA, but it goes further, with a degree of specificity that is not possible in primary legislation. It will be a flexible, living instrument that will form a clear prospectus within which everyone can work. I make no apology for the measure being in a code practice, which is where it should be, rather than in primary legislation. With the best will in the world, we all know that it is difficult to amend primary legislation and ensure that it keeps pace with the somewhat breathtaking changes that occur in this particular field of operation.

I also want to talk about the role of GCHQ, which plays a vital information assurance role and provides advice and guidance to allow the Government, industry and the general public to protect their IT systems and use the internet safely. As the director of GCHQ, Robert Hannigan, made clear in his speech on 8 March:

“I am accountable to our Prime Minister just as much, if not more, for the state of cyber security in the UK as I am for intelligence collection.”

In the past two years the security and intelligence agencies have disclosed vulnerabilities in every major mobile and desktop platform, including some of the big names that underpin business here in the UK. In September 2015, Apple publicly credited CESG, the information assurance arm of GCHQ, with detecting a vulnerability in its operating system for iPhones and iPads, and we all know where that vulnerability could have led. The vulnerability was fixed as a result of that intervention, so the suggestion, which I know has not been advanced in this Committee—and I hope will not be—that the Government are opposed to encryption, or would legislate to undermine it, is wholly wrong.

We have to ensure that we have the necessary capabilities to keep our systems safe. Encryption is now, in effect, the default setting for most of our IT products and online services, and although it can be a power for good in keeping the law-abiding safe and secure, sadly it is used easily and all too cheaply by terrorists, paedophiles and other criminals. Therefore it can only be right that we retain the ability to require telecommunications operators to remove encryption in strictly limited circumstances, with strong controls and safeguards, so that we can address the increasing technical sophistication of those who would seek to do us harm. If we do not do that, we must simply accept that there are areas online that are beyond the reach of the law, where criminals can go about their business unimpeded and without the risk of detection. I do not accept that, and I know the general public do not accept it either. That is our starting principle.

Photo of Joanna Cherry Joanna Cherry Shadow SNP Westminster Group Leader (Justice and Home Affairs)

Clause 218(8) and (9) provides that the recipient of a notice must comply with it but must not disclose either its existence or its contents. Does that mean that if an Apple against the FBI scenario were to occur in the UK, Apple would not be able to disclose even the fact that it had been served with a notice, let alone challenge it in court? That is how I read it.

Photo of Robert Buckland Robert Buckland The Solicitor-General

Not without the permission of the Secretary of State. I will return to the mechanism in question, but I am grateful to the hon. and learned Lady for raising that point. I am sure I will be able to provide her with clarity as I develop my remarks.

The starting principle is shared by David Anderson, who in his important review said:

“My first principle is that no-go areas for law enforcement should be minimised as far as possible, whether in the physical or the digital world.”

That view was shared by the Joint Committee on the draft Bill and is shared by the Select Committee on Science and Technology, both of which recognise that, in tightly prescribed circumstances, it should remain possible for our law enforcement and security and intelligence agencies to be able to access decrypted communications or data. That is what clauses 217 and 218 are all about: strong safeguards to ensure that obligations to remove encryption can be imposed only in limited circumstances, subject to rigorous controls.

Clause 217 relates to technical capability notices. Before such a notice is given, the Secretary of State must specifically consider the technical feasibility and likely cost of complying with it. Clause 218(4), which has been the subject of some debate, provides that that consideration must explicitly take into account any obligations to remove encryption applied by, or on behalf of, a communications service provider. In my submission, that deals with the point about third parties that the hon. and learned Member for Holborn and St Pancras raised.

Photo of Keir Starmer Keir Starmer Shadow Minister (Home Office) 5:30, 3 May 2016

I looked carefully at that subsection, but perhaps the Minister could explain why it is a limiting provision. It is a requirement provision as far as the notice is concerned, but on the face of it, encryption is not limited to protection applied by, or on behalf of, the person themselves. It tells us how that situation would be dealt with, but it is not limited to that.

Photo of Robert Buckland Robert Buckland The Solicitor-General

I have been interested in the clause for a while, because there are issues about what “relevant notice” means, for example. I assure the hon. and learned Gentleman that that applies only to technical capability notices, not national security notices. I will carefully consider how we can make that absolutely clear, and in that context I will have another look at the how the clause is worded. I want to put beyond any doubt the fact that the clause relates only to a technical capability notice and does not relate to third parties. That has been an important undertaking that we have given.

Photo of John Hayes John Hayes Minister of State (Home Office) (Security)

Deliberating on the interesting discourse that has taken place between the Solicitor General and the hon. and learned Member for Holborn and St Pancras, I take the point that the hon. and learned Gentleman makes about necessity and proportionality running as a theme throughout the Bill. My hon. and learned Friend the Solicitor General is of course right that these are preliminary measures, and therefore once an outcome that has been tested for proportionality has been reached, that will not be a problem. I say to him that there is an argument for taking that into account and making it even clearer, either in the supporting documentation or in the Bill.

Photo of Robert Buckland Robert Buckland The Solicitor-General

I am grateful to my right hon. Friend, and I will do that.

Before I go further, I will deal with the point that the hon. and learned Member for Edinburgh South West made about Apple. My understanding is that the process will give her some reassurance. In that scenario, Apple, as the recipient of the notice, could refer it back to the Secretary of State, who in turn must then consult the technical advisory board and the IPC before deciding whether to proceed further with the notice. If the Secretary of State proceeded, it would then be judicable in the courts, which would determine whether the notice could be enforced. It is quite similar to the scenario that we discussed in the context of national security notices. I hope that gives her some assistance.

Photo of Keir Starmer Keir Starmer Shadow Minister (Home Office)

I have looked at this issue in the past day or two, and I was concerned about the implication that on the face of it, one could not challenge the provision in court, because there is an absolute bar on disclosure. Am I right in assuming—if I am, it should be on the record—that the Secretary of State will give permission, where appropriate, for a legal challenge to be brought? In other words, there could be disclosure for the purposes of legal proceedings.

Photo of Robert Buckland Robert Buckland The Solicitor-General

On the face of it, that has to follow. If any clarification is needed on that, I am sure I can assist as I further develop my remarks.

I was dealing with the process of consultation before the giving of a notice, and we have had the Apple example. I would like to develop the importance of the draft codes of practice, which the hon. and learned Gentleman has referred to.

Photo of Suella Fernandes Suella Fernandes Conservative, Fareham

The Solicitor General is talking about the power of review in clause 220, which should be read with the power to issue notices. That is important because it obliges the Secretary of State to consult the technical advisory board and the Investigatory Powers Commissioner. That process was endorsed by EE, a communications service provider, in its evidence to the Joint Committee on this very point.

Photo of Robert Buckland Robert Buckland The Solicitor-General

I am grateful to my hon. Friend, who provides an example of the sort of dialogue that will be very much part of the process. There will not be mere diktat without further discussion. I was about to develop that point in the context of the draft codes of practice, because they make it clear that should a telecoms operator have concerns about the reasonableness, cost or technical feasibility of any requirements set out in a notice, which of course would include any obligations to remove encryption, they should be raised during the consultation process. That is the dialogue that we have talked about. Also, a telecommunications operator that is given a technical capability notice may refer any aspect of it—again, I gave an example earlier—including obligations relating to removal of encryption, back to the Secretary of State for review. We have dealt with the consultation process set out in the Bill.

The Bill makes it absolutely clear that in line with current practice, obligations placed on telecommunications operators to remove encryption may relate only to encryption by or on behalf of the Government. That is the point I was making about subsection (4).

Photo of Lucy Frazer Lucy Frazer Conservative, South East Cambridgeshire

I wonder whether clause 217(3) is relevant in the context of what we are discussing. It shows that the Secretary of State can impose t requirements only in so far as they are practicable. The Secretary of State will be prevented from requiring a service provider to do something that it cannot do, for example because a third party has encrypted the material and it is not physically capable of assisting.

Photo of Robert Buckland Robert Buckland The Solicitor-General

I am grateful to my hon. and learned Friend, who is right to pray in aid that subsection, which sets out the bones on which we flesh out the procedure in the code of practice.

Photo of Chris Matheson Chris Matheson Labour, City of Chester

I am getting a bit confused. My understanding was that these provisions applied only to communications service providers. I think it was the hon. and learned Member for Edinburgh South West who raised the question of Apple, which to my mind is not a communications service provider, but the Minister responded in the same terms. Will he clarify who exactly we are talking about and who the provision is intended to cover?

Photo of Robert Buckland Robert Buckland The Solicitor-General

The hon. Gentleman is right to make that important point and to steer us back on to the straight and narrow. I am not criticising the Committee for trying to bring the Bill to life with some examples. We are indeed talking about communications service providers, not third parties, which is important in the context of the Bill.

Photo of Joanna Cherry Joanna Cherry Shadow SNP Westminster Group Leader (Justice and Home Affairs)

Are we not concerned here with the “relevant operator”, which is defined in clause 217(2) as

“a postal operator…a telecommunications operator, or…a person who is proposing to become a postal operator or a telecommunications operator.”?

That definition is the basis of the concern for companies such as Apple.

Photo of Robert Buckland Robert Buckland The Solicitor-General

The hon. and learned Lady is absolutely right to bring us back to clause 217(2). The problem that hon. Members are anticipating is that the provisions will somehow catch parties that no one would regard as appropriate. I think I have given clear assurances on that third party problem.

Photo of Simon Burns Simon Burns Conservative, Chelmsford

I am very grateful to my hon. and learned Friend, and I do not want to be unhelpful, but I would like some clarification regarding Apple. As he is aware, Apple refused to do what the FBI asked. Although the case was never ultimately determined by the courts, because the FBI managed somehow to break open the machine and retrieve the information, how would the clause affect a similar situation if a provider such as Apple refused point-blank to co-operate, just as it did with the FBI?

Photo of Robert Buckland Robert Buckland The Solicitor-General

In endeavouring to answer my right hon. Friend’s point, may I deal first with the question about telecommunications operators? Some assistance may be gained from clause 223(10), where a telecommunications operator is defined in a way that includes Apple. The famous Apple case—the California case—was about the use of a password, which is slightly different from the question of encryption, but it does demonstrate the important tussle between the need to balance public safety and privacy. In that case, the FBI, with an appropriate search warrant, was asking for the chance to try to guess the terrorist’s passcode without the phone essentially self-destructing—after so many tries, everything gets wiped.

We are talking about an attempt to obtain communications data within the robust legal framework that we have set out, with the double lock and all the other mechanisms that my right hon. Friend and the Committee are familiar with. I am grateful to him for raising that case, but there are important differences that it would be wrong to ignore. In a nutshell, without the powers contained in the Bill, a whole swathe of criminal communication would be removed from the reach of the authorities. That is not in the interests of the constituents he has served with distinction for well over a quarter of a century—he will forgive me for saying that—or any other of the constituents we represent.

I was going to come back to the obligations imposed under a technical capability notice, with particular regard to the removal of encryption. The obligations imposed under such a notice will require the relevant operator to maintain the capability to remove encryption when it is later served with a warrant notice or authorisation. That is different from merely requiring it to remove encryption. In other words, it must maintain the capability, but there then needs to be the next stage, which is the warrant application and the notice of authorisation, where there is of course the double lock. The company on which the warrant is served will not be required to take any steps, such as to remove encryption, that are not reasonably practicable.

In a nutshell, this measure is about not an interference with privacy but sets out the preparatory stage before a warrant can be applied for. The safeguards provide the strict controls that I assure the Committee are needed in this sphere of activity. We are maintaining and clarifying the existing legal position.

Photo of Joanna Cherry Joanna Cherry Shadow SNP Westminster Group Leader (Justice and Home Affairs)

I am anxious to clarify what the Solicitor General said about the justiciability of the issuing of such a technical notice. As far as I can see, the Secretary of State is the gatekeeper to justiciability, because the contents of a notice can be revealed only with his or her permission. Where does it say that that can be justiciable, because I cannot find it?

Photo of Robert Buckland Robert Buckland The Solicitor-General

I think it is clause 220, but I will get some further assistance on that point for the hon. and learned Lady before I resume my seat. I am grateful for that intervention.

The Bill does not drive a coach and horses through encryption. It does not ban it or do anything to limit its use. A national security notice—we debated this matter on clause 216—cannot require the removal of encryption, which further supports my argument that there is no blank cheque in the context of these notices. On the issue of civility, rather than keep this Committee waiting, I will write to the hon. and learned Lady to clarify the point that she rightly raised.

Photo of Victoria Atkins Victoria Atkins Conservative, Louth and Horncastle 5:45, 3 May 2016

This is a general point. Although we are examining this Bill in detail, there will of course be an ongoing debate, particularly as the technical companies tussle with the public, about what the public find acceptable. Those companies should not think that the debate ends here; they will have to justify their actions to the public in future.

Photo of Robert Buckland Robert Buckland The Solicitor-General

My hon. Friend is absolutely right. The code of practice has been drafted in that real-life context. It will no doubt be amended and looked at—it will be a living document—as this technology develops and as we move forward. With this clause, we are trying—I do not like this phrase, but I have to use it—to future-proof the legislation to make it resilient so that it lasts and to ensure that this House does not have to return to it time and again to respond to the challenges that increased and enhanced IT present.

Photo of Lucy Frazer Lucy Frazer Conservative, South East Cambridgeshire

My hon. and learned Friend referred to clause 220, which indeed does give the person who receives the notice the power to give it back to the Secretary of State, who then has to consult the Technical Advisory Board and the Investigatory Powers Commissioner, who will then take evidence from those people.

Photo of Robert Buckland Robert Buckland The Solicitor-General

I am glad that my hon. and learned Friend has reminded us of that. I referred earlier to that consultation process. The next stage is when the Secretary of State decides to proceed. I will consider that issue even more carefully to ensure that the Committee is furnished with as much information as possible before Report.

Let me deal with the amendments tabled in the name of the hon. and learned Member for Holborn and St Pancras and others. On amendment 846, the Bill already makes it absolutely clear that a communications service provider will not be obligated to remove encryption where it is not reasonably practicable for them to do so. I do not think the amendment adds anything, and in many cases it would have the effect of inhibiting law enforcement agencies and the security and intelligence services from working constructively with tele- communications operators as the technology develops. I am sure that that is not the intention of the amendment. Depending on the individual company and the individual circumstances, it may be entirely sensible for the Government to work with a company to determine whether it would be reasonably practicable for it to take steps to develop and maintain the technical capability to remove the encryption it has applied to communications or data.

My worry about the amendment is that we would end up with communications services that can be used by criminals and others to communicate with each other unimpeded. We know that internet gambling sites, which have chat room provisions, are used by criminals for entirely unrelated criminal activities. I am sure that that is not the intention behind the amendment. Therefore, with respect, I urge hon. Members to reconsider it.

I will not deal in detail with amendment 847, because I do not think the hon. and learned Gentleman seeks to press it. Although I oppose it, I will move on without argument to amendments 848 and 858. We have discussed similar amendments on extraterritoriality in relation to other powers in the Bill. I pray in aid the arguments I used earlier. The provisions in the Bill allow a notice to be given in the most appropriate manner, taking into account the preferences of each company, which is an example of the adaptability of the legislation to the real world.

Amendment 848 is unnecessary because the clause is about not the acquisition but the development and maintenance of a technical capability. Conflict of law issues are much more likely to arise in respect of giving effect to a warrant, and we already have protection in the Bill for such cases. Admirable though the amendment may seem, it is therefore unnecessary.

Amendment 849 is unnecessary because it duplicates provisions in clauses 218, 216 and 217. I have discussed clause 218(3), which stipulates that the Secretary of State must consider a wide range of matters before giving a notice. That detailed assessment already speaks to the issues raised by the amendment. The Secretary of State has to be satisfied that the conduct is proportionate, justified, necessary and practicable.

Photo of Joanna Cherry Joanna Cherry Shadow SNP Westminster Group Leader (Justice and Home Affairs)

I am sorry to interrupt the Solicitor General’s flow, but I sense he is coming to the end of his argument. Will he clarify something? Am I right in understanding that there is nothing in the clause to prevent someone who is intent on evading surveillance from using open-source encryption software that is personally generated by the user? That would mean they could encrypt files and email communications themselves, independent of any provider, and therefore remain untouched by this legislation.

Photo of Robert Buckland Robert Buckland The Solicitor-General

That question is about the definition of the provider. I am sure we will be able to provide some clarity on that before I draw my remarks to a conclusion. I am grateful to the hon. and learned Lady for raising that point.

Amendment 850 relates to consideration by the Secretary of State of the effect of a notice on the privacy and human rights of people both here and outside the kingdom. The amendment is unnecessary because of the point I made before, which I will reiterate: the clause is not about notices authorising an interference with privacy. A warrant provided for elsewhere in the Bill is required to do that, and we have already considered the potency of the double lock and the test to be applied. A point that is relevant to all the amendments in this group is the statutory function of the Investigatory Powers Commissioner to oversee the use of notices. I raised that in the context of national security notices, and I pray it in aid here again.

Amendment 857 seeks to narrow the category of operators to whom a technical capability notice can be given. I am worried that that would limit the effects of law enforcement. We know about the diversification of criminality and terrorism in order to find new ways to avoid protection. I am concerned that narrowing the legislation would allow loopholes to get larger. It is therefore important that the obligations relating to the technical capabilities for a range of operators can be imposed by the Government in order to ensure we keep ahead of the curve.

The hon. and learned Lady made the powerful point that the clause does not relate to personally applied encryption. However, measures in part 3 of RIPA 2000 provide for where law enforcement agencies can require an individual to remove encryption that he or she has applied themselves. We know that the Bill generally does not cover all the agencies’ powers. This is perhaps a welcome opportunity to remind ourselves of the existing provisions in part 3, so I am grateful to her.

Of course we accept that it may well be appropriate to exclude certain categories of operator from obligations under the clause—I am thinking, for example, of small businesses; we are always mindful of the burden of regulation on small businesses—but it is our intention to use secondary legislation to achieve that. It would not be appropriate in primary legislation to impose blanket exemptions on services with a communications element that are not primarily communications services. To do so would send a rather alarming and clear message to terrorists and criminals that communications over certain systems will not be monitored. That sort of carve-out recalls the point that I made about the use by criminals of seemingly unrelated or innocuous communications channels in other internet facilities or apps, in order to hide their illicit enterprises.

I know that I have taken up an inordinate amount of the Committee’s time. I am obliged to the Committee and to you, Ms Dorries, for your indulgence. I hope that I have set out the reasons why I urge hon. Members to withdraw the amendment, and I pray in aid my arguments as advancing the case that the clause should stand part of the Bill. I urge the hon. and learned Gentleman to withdraw the amendment.

Photo of Keir Starmer Keir Starmer Shadow Minister (Home Office)

I have only three issues to address. The first, which requires more attention from the Solicitor General—I say so with no disrespect—is the question of the extent of the prohibition on disclosure and, essentially, access to the courts or appropriate tribunals. On the face of it, clause 218(8) is a prohibition on disclosure, save with the permission of the Secretary of State. With respect to Committee members, I do not think that clause 220 provides the answer, because that deals with the consultation exercise where a notice is being reviewed.

I have no doubt that, if the Secretary of State exercised her power under clause 218(8) to prevent access to the courts, it would run straight into an article 6 access to courts argument that would succeed on judicial review. I had assumed that one could read into the clause by implication that permission would not be refused in a bona fide and proper case where access to court—or the relevant tribunal, which may be a better way of putting it—was an issue. If that were made clear for the record or by some redrafting of the clause, it would help. As I said, I think that, in practice, any court in this jurisdiction would strike down pretty quickly a Secretary of State who sought to prevent access to the court.

Photo of Robert Buckland Robert Buckland The Solicitor-General

I think that the hon. and learned Gentleman is right about that. On that basis, I will have another look at clause 218(8), to get it absolutely right. I reassure him that it is not the Government’s intention to preclude access to the court.

Photo of Keir Starmer Keir Starmer Shadow Minister (Home Office)

I am reassured. I am sure that that would not be the case, but it might be sensible to clarify that rather than relying on clause 220, because I am not sure that that is the right way to do it. However, I will say no more about that.

I was going to press for votes on amendments 846 and 849, but I have listened carefully to what the Solicitor General said and to what the Minister said when he rose to make some observations earlier. They are by far the two most important amendments. Amendment 846 deals with encryption. I think I heard the Solicitor General say that he will look again at the wording of clause 218(4) to see whether it is possible to make clear what is clear in the code of practice, namely, that an obligation placed on a CSP to remove encryption relates only to electronic protections that the company itself has applied to intercepted communications and secondary data. That is clearly the position that the Government adopt, because it is now set out in the code. I think that the Solicitor General might accept that, at the moment, clause 218(4) does not quite achieve that objective. On the basis that he is prepared at least to look at that again, I will not press amendment 846.

Equally, amendment 849 relates to the test. I listened carefully to what the Minister said. It would be more sensible if the clauses were aligned with the other provisions in the Bill and made clear the necessity and proportionality test. The Minister’s intervention appeared to make clear what the expectation would be in any event; he made it clear that at least some consideration would be given to whether that expectation can be reflected in some way that is not apparent in the Bill. The observations made by the Solicitor General and the Minister persuaded me not to press the amendments to a vote, so I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Question proposed, That the clause stand part of the Bill.

Photo of Joanna Cherry Joanna Cherry Shadow SNP Westminster Group Leader (Justice and Home Affairs)

The Scottish National party is not happy with this clause without amendment. I was going to press it to a vote, but having heard what the Solicitor General said about the clause, and pending his writing to me, I am willing not to press it. I just lay down a marker in that respect.

Question put and agreed to.

Clause 217 accordingly ordered to stand part of the Bill.

Clause 218