PARLIAMENTARY DEBATE
Investigatory Powers Bill (Fifteenth sitting) - 3 May 2016 (Commons/Public Bill Committees)
Debate Detail
Chair(s) Albert Owen, †Nadine Dorries
Members† Atkins, Victoria (Louth and Horncastle) (Con)
† Buckland, Robert (Solicitor General)
† Burns, Sir Simon (Chelmsford) (Con)
† Cherry, Joanna (Edinburgh South West) (SNP)
† Davies, Byron (Gower) (Con)
† Fernandes, Suella (Fareham) (Con)
† Frazer, Lucy (South East Cambridgeshire) (Con)
† Hayes, Mr John (Minister for Security)
† Hayman, Sue (Workington) (Lab)
† Kinnock, Stephen (Aberavon) (Lab)
† Kirby, Simon (Brighton, Kemptown) (Con)
Kyle, Peter (Hove) (Lab)
† Matheson, Christian (City of Chester) (Lab)
† Newlands, Gavin (Paisley and Renfrewshire North) (SNP)
† Starmer, Keir (Holborn and St Pancras) (Lab)
† Stephenson, Andrew (Pendle) (Con)
† Stevens, Jo (Cardiff Central) (Lab)
† Warman, Matt (Boston and Skegness) (Con)
ClerksGlenn McKee, Fergus Reid, Committee Clerks
† attended the Committee
Public Bill CommitteeTuesday 3 May 2016
(Afternoon)
[Nadine Dorries in the Chair]
Investigatory Powers Bill
Clause 212
Combination of warrants and authorisations
Question proposed, That the clause stand part of the Bill.
Question put and agreed to.
Clause 212 accordingly ordered to stand part of the Bill.
Schedule 8 agreed to.
Clause 213
Payments towards certain compliance costs
“(6) The appropriate contribution shall represent the full amount of the relevant costs, subject to any audit process under subsection (4)”.
This amendment would ensure that the Government meets 100% of the compliance costs and that there is full cost recovery for Communication Service Providers (CSPs) implementing the legislation.
It is a pleasure to serve under your chairmanship, Ms Dorries. The amendment speaks for itself, I think. The clause deals with payments towards certain compliance costs and subsection (1) deals with appropriate contributions. As the Committee will know, there has been real concern about what the cost of compliance will be for those called upon to comply and what contribution they will receive toward their relevant costs. The clause allows for “an appropriate contribution”. The amendment would ensure that the Government met 100% of the compliance costs and there was full cost recovery for communication service providers implementing the legislation..
There is concern among providers about what they will be expected to do by way of compliance and what the cost will be. It may be convenient for the Minister to deal with the estimated costs, because £170 million was mentioned at one stage but I am not sure that that is a final figure as far as the Government are concerned.
“Under the proposals in the Bill—the Home Secretary has made reference to it—we would recover our costs from the Home Office, as we have done under existing legislation.”
He went on to say that
“the proposed regime is more sensible as long as it is clear that we will recover 100% of our costs.”––[Official Report, Investigatory Powers Public Bill Committee, 24 March 2016; c. 45-46, Q126.]
And I am clear, quoting the Home Secretary, that
“100% of the compliance costs will be met by the Government.”—[Official Report, 15 March 2016; Vol. 607, c. 821.]
The hon. and learned Gentleman asks what that means in practice. The £174 million he mentioned is not a cap, but an estimate. It is dealt with in the impact assessment, and there is no cap in the impact assessment. We will meet costs such as they arise. We are determined to make sure that the Bill works and is not inhibited by any doubts about the cost of its implementation. Clearly, future Governments will inherit this legislation. It is worth emphasising that the current policy has not changed since the passage of the Regulation of Investigatory Powers Act 2000, so it has survived three Governments of different colours or combinations of colours—we used to be more rainbow-like than we are now, which is actually quite welcome, by the way. We are clear that 100% means what it says.
Above and beyond that—the hon. and leaned Gentleman did not ask for this, but I will add it—we need to be clear that the providers are consulted on any changes to the cost model and that they will be able to seek review of any variation to the notice that affects the level of their contribution. To sum up: we have an estimate, not a cap; a determination that 100% means 100%; a willingness to have a proper input into this; and an assurance—which I think is what the hon. and leaned Gentleman really seeks—that the Government will cover the costs so that the Bill does what it should.
Amendment, by leave, withdrawn.
Clause 213 ordered to stand part of the Bill.
Clauses 214 and 215 ordered to stand part of the Bill.
Clause 216
National security notices
“following approval by a Judicial Commissioner”.
Amendment 854, in clause 216, page 166, line 41, after “State”, insert “and a Judicial Commissioner”.
Amendments 853 and 854 would require judicial authorisation for national security notices. This would also extend the “double lock” standard that is set in other parts of the Bill.
Amendment 845, in clause 217, page 167, leave out lines 20 and 21 and insert—
“(1) The Secretary of State may, following approval by a Judicial Commissioner that the notice is justified, practicable, necessary and proportionate, give a relevant operator a notice (a ‘technical capability notice’)”.
This amendment would require judicial authorisation for Clause 217 and bring the clause in line with other provisions within the bill that require judicial authorisation.
Amendment 855, in clause 217, page 167, line 20, after “State”, insert
“following approval by a Judicial Commissioner”.
This amendment would require judicial authorisation for technical capability notices. This would also extend the “double lock” standard that is set in other parts of the Bill.
Amendment 852, in clause 220, page 171, leave out lines 1 and 2 and insert—
“(9) The Secretary of State may, after considering the conclusions of the Board and the Commissioner, and with approval of a Judicial Commissioner—”
This amendment would require judicial authorisation for these clauses and bring them in line with other parts of the bill.
Amendment 859, in clause 220, page 171, line 4, at end insert—
“(9A) Any variation made under subsection (9) must be approved by a Judicial Commissioner.”
This amendment would require judicial authorisation for the variation and revocation of national security and technical capability notices. This would also extend the “double lock” standard that is set in other parts of the Bill.
Clause 216 is concerned with national security notices. Subsections (1) and (2) make the power to issue such notices subject only to the test that they be
“necessary in the interests of national security”
and “proportionate”. There is no specific reference to any operational purposes; it is a very broad power. Once a notice is issued, subsection (3) takes effect:
“A national security notice may…require the operator to whom it is given—
(a) to carry out any conduct, including the provision of services or facilities, for the purpose of—
(i) facilitating anything done by an intelligence service under any enactment other than this Act, or
(ii) dealing with an emergency (within the meaning of…the Civil Contingencies Act 2004);
(b) to provide services or facilities for the purpose of assisting an intelligence service to carry out its functions more securely or more effectively.”
The Secretary of State issues a notice; once that notice is issued, the requirement on the operator is very broad. To be fair, subsection (4) makes it clear that a national security notice cannot be used to sideline or cut across a warrant or authorisation that is required under the Act, but the clause does make a very wide-ranging power available to the Secretary of State and it seems subject to pretty well no check, balance or safeguard.
The amendments would subject the procedure to the double-lock mechanism, to ensure that such a notice would go before a judicial commissioner, who would consider whether it was in the interests of national security and proportionate under subsections (1) and (2). The Joint Committee raised concerns about this issue when it looked at the draft Bill, and in particular how the lack of a definition of national security means that the power granted by the clause is very wide indeed.
My amendments go only to the process and not to the substance of clause 216, but if they were made, at least a separate pair of eyes would look at the notice and consider whether the test of necessity and proportionality was met. That in itself would be an important safeguard in keeping with the model that runs through the Bill.
An example of the type of support that might be required would be the provision of services or facilities to help the intelligence agencies in safeguarding the security of their personnel and operations. A notice might typically require a communications service provider to provide services to support secure communications by the security and intelligence agencies—for example, by arranging for a communication to travel via a particular route in order to improve security. A notice may additionally require the confidential provision of services to the security and intelligence agencies within the communications service providers, such as by maintaining a pool of trusted staff for the management and maintenance of sensitive communications services. I hope that gives the hon. and learned Gentleman some insight into what we are talking about here.
I am afraid I cannot share with hon. Members their analysis that we need a “now and forever” definition of national security in law. There is a good reason why national security is not defined in statute. Any attempt to define it in the Bill runs a real risk of restricting the ability of this country to respond to constantly evolving and unpredictable threats. It is vital that legislation does not, however unintentionally, constrain the ability of our security and intelligence agencies to protect this country. The examples are all around us: who would have imagined a few years ago cyber-attacks of the nature and on the scale that now threaten us? My concern is that if we try to rigidly define what we mean by national security, we run the risk of defeating the means by which we can keep this country safe.
Indeed, we have oversight because national security notices will be overseen by the Investigatory Powers Commissioner. The commissioner will have a duty to report at least once a year on what he or she has found and to make recommendations on where improvements can be made. The commissioner will also have the power to report on an ad hoc basis on any issue that he or she considers appropriate.
As I have said, we have the powers of review by the IPC. We also have the provision, pursuant to clause 220(5)(b) and (7), that the Secretary of State must consult the commissioner if a notice is reviewed, and the commissioner will then consider the proportionality of the matter before reporting conclusions to the Secretary of State. We have the checks and balances that the hon. and learned Gentleman rightly wants within the mechanism.
On amendments 853 and 854, I would say this: the role of the Secretary of State in issuing national security notices rightly reflects the responsibility of the Executive in protecting our national security; conversely, the role of the judicial commissioner in approving the issuing of warrants under the Bill reflects the particular and proper sensitivity regarding interference with private communications. We have got the double lock in place to ensure that, before the fact, a senior judge has to be satisfied that any interference with privacy is justified. The Bill explicitly prohibits—this is an important point—the issuing of national security notices for the primary purpose of obtaining private information, and the double lock then applies to the use of the most sensitive powers. We need to focus on the need for the double lock in relation to applications that result in the acquisition of private information. These types of notices do not permit the authorities to do that, so the amendments are unnecessary.
Amendments 845 and 855 deal with technical capability notices. Clause 217 builds on the current power provided for under the Regulation of Investigatory Powers Act 2000, where a company can be obliged to maintain a permanent interception capability in order to ensure that when a warrant is served, a company has the infrastructure in place to give effect to it securely and quickly. Again, any warrant served will have been reviewed by a judicial commissioner; he or she will play an important part in overseeing the operation of technical capability notices and any appeal that may be lodged against them. The commissioner will also be consulted about the making of regulations that will provide more detail about the operation of these types of notices, and those regulations will be put before Parliament for approval. Plenty of the checks and balances that the hon. and learned Member for Holborn and St Pancras, others interested in Bill and I would expect and want to see are here.
I am not persuaded of the need for amendments 852 and 859, because clause 220 already sets out the role of the IPC in the process of review and the actions that the Secretary of State must take in that process. The IPC will be integral to any review, because the Secretary of State must consult the commissioner, who will then consider whether the notice is proportionate. Inevitably, considerable weight will be afforded to the advice of the commissioner. The role of the commissioner provides an opportunity for the person on whom the notice has been served and for the Secretary of State to present evidence. The conclusions of the commissioner will be reported to the Secretary of State and to the person who has made the reference. After consideration of the conclusions, the Secretary of State may decide to confirm the effect of the notice, to change or vary it, or to withdraw it. Until that decision is made, there is no requirement for the person who has referred the notice to comply with the specific obligations under review.
In a nutshell, there are plenty of adequate safeguards to alleviate the concerns expressed by the hon. and learned Gentleman. I urge him to withdraw his amendments.
I am also concerned about clause 217. We will get on to that in more detail in a moment, but it is a wide-ranging clause on the maintenance of technical capability, which again ought to be subject to the double lock.
I apologise to the Committee, but on this occasion I will press the amendments in the group to a vote. In the past, in relation to a number of clauses, I have tested the Committee on the first one, but on this occasion I am not sure that I can do that. I think this will be the only occasion on which I will test the patience of the Committee, but clauses 216 and 217 are conceptually different and do not seem to be run as a group. I am afraid that I will press for a vote—as I say, I will not make a habit of it, and I have not done so before.
Question put, That the amendment be made.
Question put, That the amendment be made.
Question put, That the clause stand part of the Bill.
Clause 216 ordered to stand part of the Bill.
Amendment proposed: 845, in clause 217, page 167, leave out lines 20 and 21 and insert—
Question put, That the amendment be made.
Amendment proposed: 855, in clause 217, page 167, line 20, after “State”, insert “following approval by a Judicial Commissioner”.
‘(4A) A notice may not impose upon the relevant operator any obligations relating to the removal of electronic protection applied by or on behalf of that operator to any communications or data unless the relevant operator or a person acting on its behalf retains the technical ability to remove the electronic protection from such communications or data.”
This amendment would provide clarity and legal certainty for industry that the Government will not require back doors to be installed into products and services, is not seeking to weaken or restrict the use of encryption and that companies cannot be required to remove encryption if they do not have the means to do so at their disposal.
Amendment 847, in clause 217, page 168, line 16, at end insert—
“(e) persons generally held to be representing users and privacy interests in order to assess the impact of any such Regulations on users.”
This amendment would ensure that privacy protections form an overarching part of the Bill and apply across the full range of investigatory powers afforded to the security services.
Amendment 848, in clause 217, page 168, line 24, leave out subsection (8) and insert—
“(8) A technical capability notice may only be given to persons outside the United Kingdom (and may require things to be done, or not to be done, outside the United Kingdom) where it would not cause the person to act contrary to any laws or restrictions under the law of the country or territory where it is established, for the provision of services.”
This amendment would remove all provisions within the Bill that have extraterritorial reach and undermine the long term objective of creating a long term, international framework for law enforcement to gain access to data held overseas and resolves conflict of laws situations that may otherwise arise by providing the Secretary of State with the power to serve such notices without having to take account of domestic legal obligations to which the recipient is subject.
Amendment 857, in clause 217, page 168, line 30, at end insert—
“(11) A person shall not be liable to have a technical capability notice served on him in accordance with regulations under this section by reason only that he provides, or is proposing to provide, to members of the public a telecommunications service the provision of which is or, as the case may be, will be no more than—
(a) the means by which he provides a service which is not a telecommunications service; or
(b) necessarily incidental to the provision by him of a service which is not a telecommunications service.”
This amendment would exclude (under powers in RIPA section 11(4)) those services that have a communications element, but are primarily not a communication service. This limits the very broad range of “telecommunication services” that could be required to build a technical capability under this Part.
Amendment 849, in clause 218, page 168, leave out lines 37 and 38, and insert—
“(3) Before giving a relevant notice, the Secretary of State must provide evidence that the notice is justified, necessary practicable and proportionate, having, among other matters, taken into account—”
Amendment 850, in clause 218, page 168, line 45, at end insert—
“(f) the effect on the privacy and human rights of people in the United Kingdom and outside the United Kingdom”
Amendments 848 to 850 would make explicit the requirement on the Home Secretary to justify the use of a power as intrusive as a technical capability notice. It will also require the Home Secretary to take account of the full effects of such a notice, particularly on people and companies based overseas.
Amendment 858, in clause 218, page 169, line 7, leave out—
“A technical capability notice may be given to a person outside the United Kingdom”
and insert—
“Where a technical capability notice is to be given to a person outside the United Kingdom, the notice shall be served at that person’s principal office outside the United Kingdom where it is established, for the provision of services. Where it is considered unfeasible or inappropriate in the circumstances”
This amendment would require that a UK agency would only serve a notice on an overseas entity that is capable of providing assistance under the warrant.
“imposing on the relevant operator any applicable obligations specified in the notice,”
and
“requiring the person to take all the steps specified in the notice for the purpose of complying with those obligations”.
That is a very wide power, and the concern is about the extent of it. In a moment, I will refer to the code of practice, which sets out some of the capabilities that might be required.
It is clear that the power includes taking steps relating to encryption. I say that for two reasons. Subsection (4) lists in paragraphs (a) to (e) the obligations that may be specified in regulations. They include obligations
“to provide facilities or services of a specified description”
and obligations relating to
“apparatus owned or operated by a relevant operator”
or to
“the removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data”.
That is clearly veering into encryption. Obligations may also relate to
“the security of any postal or telecommunications services provided by a relevant operator”
or
“the handling or disclosure of any information.”
If one reads ahead, clause 218(4) deals with further provisions on notices under clauses 216 and 217, stating:
“Where the relevant notice would impose any obligations relating to the removal by a person of electronic protection applied by or on behalf of that person to any communications or data, in complying with subsection (3) the Secretary of State must in particular take into account the technical feasibility, and likely cost, of complying with those obligations.”
The concern of many who might be called upon to comply with the obligations is about the wide-ranging nature of the power.
This also goes deep into the debate about encryption. It is absolutely clear that a notice could require protection to be removed, and the clause envisages that being the case. That becomes clearer when one reads the “Interception of Communications” draft code of practice from chapter 8 onwards. If one reads paragraphs 8.1 to 8.94, one sees what is in fact a power that allows the Secretary of State, through this mechanism, effectively to take control of a capability of a service provider. Paragraph 8.1 states:
“The purpose of maintaining a technical capability is to ensure that, when a warrant is served, companies can give effect to it securely and quickly. Small companies (with under 10,000 users) will not be obligated to provide a permanent technical capability”.
Paragraph 8.3 then lists the wide range of obligations that can be imposed in a notice under this clause.
Paragraph 8.4 of the draft code states:
“An obligation placed on a CSP to remove encryption only relates to electronic protections that the company has itself applied to the intercepted communications (and secondary data), or where those protections have been placed on behalf of that CSP, and not to encryption applied by any other party.”
That is very important provision, which I think I am right to say was clarified as a result of a recommendation from prelegislative scrutiny. The difficulty—I am anticipating the discussion we are about to have—is that this crucial issue is dealt with in the code of practice and not in the Bill. The concern expressed in the evidence given to the various prelegislative bodies and to the Committee was that companies will be obliged to remove the protections in their own systems. Paragraph 8.4 is of some comfort to them because it makes it clear that the obligation would only relate
“to electronic protections that the company has itself applied”
and not to other encryption—but the real problem is that paragraph 8.4 is in the code of practice and not in the Bill. That needs to be rectified. We cannot leave something as important as that in the code of practice. It goes to the heart of the power in the clause. It is far and away the biggest cause for concern among CSPs, yet it is not dealt with in the Bill. The Bill provides for a permissive, rather than a restrictive, regime—if I am wrong about that, I will happily take an intervention.
Paragraph 8.6 of the code of practice clarifies that:
“While an obligation to remove encryption may only relate to protections applied by or on behalf of the company…there will also be circumstances where a CSP removes encryption from communications for their own business reasons. Where this is the case, an intercepting agency will also require the CSP, where applicable and when served with a warrant, to provide those communications in an intelligible form.”
The code then makes provision for giving a notice, for the disclosure of technical capability notices, and for their review and variation. Paragraph 8.27 and 8.28 are very wide-ranging. Paragraph 8.28 states:
“CSPs subject to a technical capability notice must notify the Government of new products and services in advance of their launch, in order to allow consideration of whether it is necessary and proportionate to require the CSP to provide a technical capability on the new service.”
That goes deep into territory hitherto unregulated in this way; CSPs will be required to give the Government notice of their new products and services, so that the Government can consider whether to vary a notice that already applies to them. We can see why the service providers are so concerned about that capability.
Pressing on through the code of practice, we see that the contribution of costs for the maintenance of a technical capability is dealt with from paragraph 8.43. Again, these provisions give an indication of the breadth of the capability covered by the clauses of the Bill. Paragraph 8.43 states:
“Section 213 of the Act recognises that CSPs incur expenses in complying with requirements in the Act, including notices to maintain permanent interception capabilities under Part 9. The Act, therefore, allows for appropriate payments to be made to them to cover these costs.”
In a sense, the requirement for CSPs to give notice when they have new or different services and to maintain permanent interception capabilities when they would not otherwise do so means the taking control of their services for the purposes of the Act.
That, again, is an indication of just how wide these powers will be. Paragraphs 8.51 to 8.53 deal with the power to develop compliance systems, suggesting that,
and stating that clause 214 provides the Secretary of State with that power. Paragraph 8.53 is the inevitable conclusion of that, stating:
which is the option of ensuring that the CSP itself develops and maintains the capability. If not, the Secretary of State can do so and then there will inevitably be a requirement to integrate that capability into existing networks, and so on and so forth. That is why, although the detail of paragraphs 8.1 to 8.94 is welcome, it is the clearest evidence one could get of the breadth of the powers.
Amendment 846 would
The amendment is intended to deal with the concern of service providers about how the clause would apply to encryption. Amendment 847 would add a requirement to take into account privacy interests. I will not press that amendment to a vote and I will not spend time on it now, because to some extent it is probably overtaken by the overarching privacy provisions, which we will deal with later in a new clause.
Amendment 848 is self-explanatory. There is a continuing concern among service providers about obligations being imposed on them that would put them in breach of the law, or a restriction under the law, in the country or territory in which they are operating. The intention behind the amendment is to remove that conflict by ensuring that no obligation under clause 217 would
Amendment 857 would deal with a sub-clause of service providers by excluding
Amendment 849 is probably the most significant of this group of amendments, as it would insert a new requirement into clause 218:
It then lists what must be taken into account. I pause there because it is significant that clause 217 is not subject to a necessity and proportionality test. It is subject to a reasonableness test. Clause 217(3) shows that there is no need for the Secretary of State to show necessity or proportionality.
Interestingly, when it comes to variation in clause 219(4), as far as the national security notice is concerned, there is a requirement to demonstrate proportionality. The amendment would build in a new test to be applied under clause 217. Finally, amendment 858 is our old friend “service outside the jurisdiction”, which I have rehearsed already.
I also note that necessity is required under clause 217(6), which relates to the steps specified in a technical capability notice. I do not know whether that helps the hon. and learned Gentleman. I will certainly consider the issue carefully, but on the face of it, I do not think there is a worry of the sort that he envisages.
“seemingly open-ended and unconstrained power”.
Does the Solicitor General not agree that it is therefore essential that the tests of necessity and proportionality are spelled out in the clause, as they are in other parts of the Bill?
May I deal with encryption, which, as the hon. and learned Gentleman rightly characterised, is at the heart of the matter? I put it on the record that the Government recognise the vital importance of encryption. It has become part of our daily lives. It keeps our personal data and intellectual property secure and ensures safe online commerce, and the Government work closely with industry and business to improve their cyber-security. I can reassure the Committee that in the preparation of the code of practice, there has been close consultation with the interested parties in the industry to ensure that it comprehensively reflects the realities and needs of those who operate in this sphere. Not only does the code of practice replicate the provisions of RIPA, but it goes further, with a degree of specificity that is not possible in primary legislation. It will be a flexible, living instrument that will form a clear prospectus within which everyone can work. I make no apology for the measure being in a code practice, which is where it should be, rather than in primary legislation. With the best will in the world, we all know that it is difficult to amend primary legislation and ensure that it keeps pace with the somewhat breathtaking changes that occur in this particular field of operation.
I also want to talk about the role of GCHQ, which plays a vital information assurance role and provides advice and guidance to allow the Government, industry and the general public to protect their IT systems and use the internet safely. As the director of GCHQ, Robert Hannigan, made clear in his speech on 8 March:
“I am accountable to our Prime Minister just as much, if not more, for the state of cyber security in the UK as I am for intelligence collection.”
In the past two years the security and intelligence agencies have disclosed vulnerabilities in every major mobile and desktop platform, including some of the big names that underpin business here in the UK. In September 2015, Apple publicly credited CESG, the information assurance arm of GCHQ, with detecting a vulnerability in its operating system for iPhones and iPads, and we all know where that vulnerability could have led. The vulnerability was fixed as a result of that intervention, so the suggestion, which I know has not been advanced in this Committee—and I hope will not be—that the Government are opposed to encryption, or would legislate to undermine it, is wholly wrong.
We have to ensure that we have the necessary capabilities to keep our systems safe. Encryption is now, in effect, the default setting for most of our IT products and online services, and although it can be a power for good in keeping the law-abiding safe and secure, sadly it is used easily and all too cheaply by terrorists, paedophiles and other criminals. Therefore it can only be right that we retain the ability to require telecommunications operators to remove encryption in strictly limited circumstances, with strong controls and safeguards, so that we can address the increasing technical sophistication of those who would seek to do us harm. If we do not do that, we must simply accept that there are areas online that are beyond the reach of the law, where criminals can go about their business unimpeded and without the risk of detection. I do not accept that, and I know the general public do not accept it either. That is our starting principle.
The starting principle is shared by David Anderson, who in his important review said:
“My first principle is that no-go areas for law enforcement should be minimised as far as possible, whether in the physical or the digital world.”
That view was shared by the Joint Committee on the draft Bill and is shared by the Select Committee on Science and Technology, both of which recognise that, in tightly prescribed circumstances, it should remain possible for our law enforcement and security and intelligence agencies to be able to access decrypted communications or data. That is what clauses 217 and 218 are all about: strong safeguards to ensure that obligations to remove encryption can be imposed only in limited circumstances, subject to rigorous controls.
Before I go further, I will deal with the point that the hon. and learned Member for Edinburgh South West made about Apple. My understanding is that the process will give her some reassurance. In that scenario, Apple, as the recipient of the notice, could refer it back to the Secretary of State, who in turn must then consult the technical advisory board and the IPC before deciding whether to proceed further with the notice. If the Secretary of State proceeded, it would then be judicable in the courts, which would determine whether the notice could be enforced. It is quite similar to the scenario that we discussed in the context of national security notices. I hope that gives her some assistance.
I was dealing with the process of consultation before the giving of a notice, and we have had the Apple example. I would like to develop the importance of the draft codes of practice, which the hon. and learned Gentleman has referred to.
The Bill makes it absolutely clear that in line with current practice, obligations placed on telecommunications operators to remove encryption may relate only to encryption by or on behalf of the Government. That is the point I was making about subsection (4).
“a postal operator…a telecommunications operator, or…a person who is proposing to become a postal operator or a telecommunications operator.”?
That definition is the basis of the concern for companies such as Apple.
We are talking about an attempt to obtain communications data within the robust legal framework that we have set out, with the double lock and all the other mechanisms that my right hon. Friend and the Committee are familiar with. I am grateful to him for raising that case, but there are important differences that it would be wrong to ignore. In a nutshell, without the powers contained in the Bill, a whole swathe of criminal communication would be removed from the reach of the authorities. That is not in the interests of the constituents he has served with distinction for well over a quarter of a century—he will forgive me for saying that—or any other of the constituents we represent.
I was going to come back to the obligations imposed under a technical capability notice, with particular regard to the removal of encryption. The obligations imposed under such a notice will require the relevant operator to maintain the capability to remove encryption when it is later served with a warrant notice or authorisation. That is different from merely requiring it to remove encryption. In other words, it must maintain the capability, but there then needs to be the next stage, which is the warrant application and the notice of authorisation, where there is of course the double lock. The company on which the warrant is served will not be required to take any steps, such as to remove encryption, that are not reasonably practicable.
In a nutshell, this measure is about not an interference with privacy but sets out the preparatory stage before a warrant can be applied for. The safeguards provide the strict controls that I assure the Committee are needed in this sphere of activity. We are maintaining and clarifying the existing legal position.
The Bill does not drive a coach and horses through encryption. It does not ban it or do anything to limit its use. A national security notice—we debated this matter on clause 216—cannot require the removal of encryption, which further supports my argument that there is no blank cheque in the context of these notices. On the issue of civility, rather than keep this Committee waiting, I will write to the hon. and learned Lady to clarify the point that she rightly raised.
Let me deal with the amendments tabled in the name of the hon. and learned Member for Holborn and St Pancras and others. On amendment 846, the Bill already makes it absolutely clear that a communications service provider will not be obligated to remove encryption where it is not reasonably practicable for them to do so. I do not think the amendment adds anything, and in many cases it would have the effect of inhibiting law enforcement agencies and the security and intelligence services from working constructively with tele- communications operators as the technology develops. I am sure that that is not the intention of the amendment. Depending on the individual company and the individual circumstances, it may be entirely sensible for the Government to work with a company to determine whether it would be reasonably practicable for it to take steps to develop and maintain the technical capability to remove the encryption it has applied to communications or data.
My worry about the amendment is that we would end up with communications services that can be used by criminals and others to communicate with each other unimpeded. We know that internet gambling sites, which have chat room provisions, are used by criminals for entirely unrelated criminal activities. I am sure that that is not the intention behind the amendment. Therefore, with respect, I urge hon. Members to reconsider it.
I will not deal in detail with amendment 847, because I do not think the hon. and learned Gentleman seeks to press it. Although I oppose it, I will move on without argument to amendments 848 and 858. We have discussed similar amendments on extraterritoriality in relation to other powers in the Bill. I pray in aid the arguments I used earlier. The provisions in the Bill allow a notice to be given in the most appropriate manner, taking into account the preferences of each company, which is an example of the adaptability of the legislation to the real world.
Amendment 848 is unnecessary because the clause is about not the acquisition but the development and maintenance of a technical capability. Conflict of law issues are much more likely to arise in respect of giving effect to a warrant, and we already have protection in the Bill for such cases. Admirable though the amendment may seem, it is therefore unnecessary.
Amendment 849 is unnecessary because it duplicates provisions in clauses 218, 216 and 217. I have discussed clause 218(3), which stipulates that the Secretary of State must consider a wide range of matters before giving a notice. That detailed assessment already speaks to the issues raised by the amendment. The Secretary of State has to be satisfied that the conduct is proportionate, justified, necessary and practicable.
Amendment 850 relates to consideration by the Secretary of State of the effect of a notice on the privacy and human rights of people both here and outside the kingdom. The amendment is unnecessary because of the point I made before, which I will reiterate: the clause is not about notices authorising an interference with privacy. A warrant provided for elsewhere in the Bill is required to do that, and we have already considered the potency of the double lock and the test to be applied. A point that is relevant to all the amendments in this group is the statutory function of the Investigatory Powers Commissioner to oversee the use of notices. I raised that in the context of national security notices, and I pray it in aid here again.
Amendment 857 seeks to narrow the category of operators to whom a technical capability notice can be given. I am worried that that would limit the effects of law enforcement. We know about the diversification of criminality and terrorism in order to find new ways to avoid protection. I am concerned that narrowing the legislation would allow loopholes to get larger. It is therefore important that the obligations relating to the technical capabilities for a range of operators can be imposed by the Government in order to ensure we keep ahead of the curve.
The hon. and learned Lady made the powerful point that the clause does not relate to personally applied encryption. However, measures in part 3 of RIPA 2000 provide for where law enforcement agencies can require an individual to remove encryption that he or she has applied themselves. We know that the Bill generally does not cover all the agencies’ powers. This is perhaps a welcome opportunity to remind ourselves of the existing provisions in part 3, so I am grateful to her.
Of course we accept that it may well be appropriate to exclude certain categories of operator from obligations under the clause—I am thinking, for example, of small businesses; we are always mindful of the burden of regulation on small businesses—but it is our intention to use secondary legislation to achieve that. It would not be appropriate in primary legislation to impose blanket exemptions on services with a communications element that are not primarily communications services. To do so would send a rather alarming and clear message to terrorists and criminals that communications over certain systems will not be monitored. That sort of carve-out recalls the point that I made about the use by criminals of seemingly unrelated or innocuous communications channels in other internet facilities or apps, in order to hide their illicit enterprises.
I know that I have taken up an inordinate amount of the Committee’s time. I am obliged to the Committee and to you, Ms Dorries, for your indulgence. I hope that I have set out the reasons why I urge hon. Members to withdraw the amendment, and I pray in aid my arguments as advancing the case that the clause should stand part of the Bill. I urge the hon. and learned Gentleman to withdraw the amendment.
I have no doubt that, if the Secretary of State exercised her power under clause 218(8) to prevent access to the courts, it would run straight into an article 6 access to courts argument that would succeed on judicial review. I had assumed that one could read into the clause by implication that permission would not be refused in a bona fide and proper case where access to court—or the relevant tribunal, which may be a better way of putting it—was an issue. If that were made clear for the record or by some redrafting of the clause, it would help. As I said, I think that, in practice, any court in this jurisdiction would strike down pretty quickly a Secretary of State who sought to prevent access to the court.
I was going to press for votes on amendments 846 and 849, but I have listened carefully to what the Solicitor General said and to what the Minister said when he rose to make some observations earlier. They are by far the two most important amendments. Amendment 846 deals with encryption. I think I heard the Solicitor General say that he will look again at the wording of clause 218(4) to see whether it is possible to make clear what is clear in the code of practice, namely, that an obligation placed on a CSP to remove encryption relates only to electronic protections that the company itself has applied to intercepted communications and secondary data. That is clearly the position that the Government adopt, because it is now set out in the code. I think that the Solicitor General might accept that, at the moment, clause 218(4) does not quite achieve that objective. On the basis that he is prepared at least to look at that again, I will not press amendment 846.
Amendment, by leave, withdrawn.
Question proposed, That the clause stand part of the Bill.
Question put and agreed to.
Clause 217 accordingly ordered to stand part of the Bill.
Clause 218
Further provision about notices under section 216 or 217
Question proposed, That the clause stand part of the Bill.
Question put and agreed to.
Clause 218 accordingly ordered to stand part of the Bill.
Clause 219
Variation and revocation of notices
“(and in the application of section 218(3) and (4) in relation to varying a relevant notice, references to the notice are to be read as references to the notice as varied).”
This is a technical amendment. Ms Dorries, I should have welcomed you to the Chair earlier, but I do so now. The amendment is uncontentious and makes a drafting correction to clause 219. On that basis, it should not cause the Committee any undue concern, and I move it in that spirit.
Amendment 734 agreed to.
Clause 219, as amended, ordered to stand part of the Bill.
Clause 220
Review by the Secretary of State
‘(6) The Board must consider the technical requirements and the consequences, for the person who has made the reference and for others likely to be affected, of the notice so far as referred.”
This amendment would require the Technical Advisory Board to look at more than just an implementation of cost measure and instead examine the full costs of the notice.
Our discussions have already strayed on to clause 220. This short amendment is reasonably clear. Subsection (6) makes it clear that the technical advisory board, referred to in subsection (5)(a),
“must consider the technical requirements and the financial consequences, for the person who has made the reference, of the notice so far as referred.”
That is where the person served with the notice has referred the notice back to the Secretary of State, which then triggers a consultation exercise. The board must be consulted; subsection (6) sets out what the board must consider. The amendment is fairly self-explanatory; it would serve the limited purpose of requiring the technical advisory board to look at more than just the implementation of cost measure, and instead examine the full costs of the notice.
The technical advisory board is essentially a committee of experts. It has a very specific role to play in advising the Secretary of State on cost and technical matters. That role is reflected in its membership: a group of experts drawn from communications service providers and from those entitled to apply for warrants and authorisations under the Bill. Such people are well placed to consider the technical requirements and the financial consequences. If they consider it appropriate, they may look beyond cost and technical feasibility, but those matters, rightly, are the board’s central purpose and are at the core of its work. The board is also required to consider evidence or representations made by communications service providers and must report its conclusions to them and to the Secretary of State.
In my view, responsibility for considering the broader effects of the notice on the communications service provider to whom it has been given should sit with the Investigatory Powers Commissioner. While it is absolutely right that the board considers both the technical aspects and the cost, the broader matters that the hon. and learned Gentleman is rightly concerned about should fall within the scope of the commissioner, as they do in the Bill. As part of any review of the obligations set out in the notice, the commissioner must report on the proportionality of those obligations; that will include an assessment of the consequences of the notice, both on the persons seeking the review and on anyone else affected—which is essentially the argument the hon. and learned Gentleman made for the amendment.
Furthermore, the clause requires the commissioner to seek out the views of the person who has received the notice, who will have the opportunity to raise any concerns about the effect of the notice with the commissioner for consideration; the commissioner must report his or her conclusions to that person and to the Secretary of State. Essentially, combining the role and responsibilities of the board with the role and responsibilities of the commissioner means that each of them will provide a function central to the hon. and learned Gentleman’s concerns, so the amendment is unnecessary. I should add that the commissioner is properly and well placed to consider the proportionality of the matter as a whole, after careful assessment. The amendment’s wording would introduce duplication and, frankly, a degree of ambiguity about the respective roles of the board and the commissioner and about what each of them is considering. With that reassurance, I hope the hon. and learned Gentleman will withdraw the amendment.
Amendment, by leave, withdrawn.
Amendment proposed: 852, in clause 220, page 171, leave out lines 1 and 2 and insert—
“(9) The Secretary of State may, after considering the conclusions of the Board and the Commissioner, and with approval of a Judicial Commissioner—”.—(Keir Starmer.)
This amendment would require judicial authorisation for these clauses and bring them in line with other parts of the bill.
Question put, That the amendment be made.
Question put, That the amendment be made.
Clauses 220 and 221 ordered to stand part of the Bill.
Question proposed, That the clause stand part of the Bill.
“(1) The Secretary of State shall appoint an Independent Reviewer to prepare the first report on the operation of this Act within a period of six months beginning with the end of the initial period.
(2) In subsection (1) “the initial period” is the period of four years and six months beginning with the day on which this Act is passed.
(3) Subsequent reports will be prepared every five years after the first report in subsection (1).
(4) Any report prepared by the Independent Reviewer must be laid before Parliament by the Secretary of State as soon as the Secretary of State is satisfied it will not prejudice any criminal proceedings.
(5) The Secretary of State may, out of money provided by Parliament, pay a person appointed under subsection (1), both his expenses and also such allowances as the Secretary of State determines.”
I inform the Committee that I consider clause 222 and new clause 23 to be alternatives. If the Committee decides that clause 222 should stand part of the Bill, I will not put the Question on new clause 23. If the Committee decides that clause 222 should not stand part, when the Committee comes to decisions on new clauses, I will put the necessary Questions on new clause 23 without debate.
“The draft Bill is far reaching and has the power to affect the lives of all citizens to differing degrees. For these reasons, the bill should include a sunset clause or other provisions requiring effective post legislative scrutiny. This would ensure that measures of this magnitude remain necessary, are targeted on the right areas and are effective in practice. To fail to make this provision risks undermining public trust and confidence. It will also enable the legislation to be considered in the light of the latest jurisprudence from the”
Court of Justice of the European Union and the European Court of Human Rights. Various variations on the Information Commissioner’s proposal were put to the Joint Committee by other witnesses, including medConfidential, Dr Paul Bernal, the right hon. Member for Haltemprice and Howden (Mr Davis), Privacy International and the Interception of Communications Commissioner’s Office.
The Home Secretary expressed reservations about having a sunset provision, but it is good to see that there is now some such provision in the Bill. What is missing from it, however, is an independent element.
It goes on to say that he or she
To an extent, that follows up on recommendation 86 of the Joint Committee, because it recommended that a provision be added to the Bill for post-legislative scrutiny by a Committee of the two Houses within six months of the end of the fifth year after the Bill was enacted. However, an independent element is missing from this sunset clause.
Throughout the deliberations of this Committee, much reference has been made to the report of the independent reviewer of terrorism legislation, David Anderson, QC. I think we can all see the benefit of having that sort of independent input. The purpose of new clause 23 is to transform this sunset clause into one that will have the necessary element of independence to ensure the sort of public confidence that is required for a sunset clause.
I remind members of the Committee that the Information Commissioner said that a sunset clause should be there to shore up public trust and confidence. Without the independent element, it is less likely that such public trust and confidence will be ensured. The purpose of new clause 23 is to provide that
to prepare the report, rather than it being done by the Secretary of State or persons acting under their auspices. The new clause would also provide that the necessary financial wherewithal was made available to enable that job to be done properly.
I understand why this new clause has been tabled, but it puts me in a bit of a dilemma. Is a review by the Secretary of State a good thing? Yes. I would therefore support clause 222 if I could not get anything better. I would not want to vote against the Secretary of State reviewing the Act if I lost on new clause 23, because it is sensible to have a Secretary of State review it. In other words, clause 222 is good, but new clause 23 is better; that is the way I would put it. I am in a dilemma, because if I vote against clause 222, I am voting against a good clause that I would naturally support in principle, but if the vote on new clause 23 was not carried—and having looked at the voting record so far, I am not confident that it would be—
I will deal with the substance of the new clause and its purpose. The hon. and learned Gentleman is right that new clause 23 would replace the Government’s proposals for a review of the operation of the Act as set out in clause 222, and he is also right that the clause obliges the Secretary of State to report to Parliament on the operation of the Act within four to five years. He described the detail, and I will not tire Committee members by quoting it more specifically. The new clause proposes instead the appointment of an independent reviewer to report on the operation of the Act every five years, beginning five years after the Act is passed.
Where we find common cause is in thinking that both pre-legislative and post-legislative scrutiny are essential. One could make that argument for most legislation, but particularly for legislation in this field, for two reasons: first, its import; and, secondly, the changing circumstances that will doubtless apply, as regards both technology, which the Bill deals with expansively, and the threat we face. All we know about the changes that have taken place over recent years suggests that those changes will continue and may grow in character and speed.
I fully understand why the hon. and learned Gentleman wants the whole House to take a close look at these matters over time. Indeed, the Home Secretary, in her evidence to the Joint Committee on the draft Bill, said:
“As technology advances, it may be necessary to revisit the powers, the legislative framework and the safeguards that are available”.
That is eminently sensible, and something that the Government wholeheartedly support.
As I said, clause 222 provides for judicial review. The hon. and learned Gentleman did not mention it, but he will know that the Joint Committee looked at that, and said that
“the appropriate vehicle to do this would be a specially constituted joint committee of the two Houses. This work should begin within six months of the end of the fifth year after which the Bill is enacted. Although the appointment of such a committee would be a matter for the two Houses, a provision in the Bill would provide a clear mandate and guarantee the timescale for this review.”
The Joint Committee gave that quite careful consideration. The members of this Committee who were also members of that one will recall that they did so because of the shared determination, which the hon. and learned Gentleman has articulated well, that we should not assume that as time goes on we will not need to be reasonably flexible about the application of the powers.
The Solicitor General made a point about providing legislation that looks as far into the future as possible. Certainly, the purpose of the Bill is to not only draw existing legislation into a single place but, as far as one reasonably can, prepare for the future. However, in doing so, it is important to be mindful of what the Joint Committee said, reflecting the Home Secretary’s evidence.
The hon. and learned Member for Holborn and St Pancras will know that the Joint Committee went on to recognise that the Government cannot, in statute, require Parliament to appoint a post-legislative scrutiny Committee. Let me explain that a little more. Ms Dorries, as you will understand with your experience in the House, it is not for the Government to say what Select Committees might look at over time. It certainly would not be for the Government to dictate to the Intelligence and Security Committee, for example, how it should regard or review the legislation within its scope or purview. It would be a dangerous precedent to set to say that any particular Select Committee should, statutorily, consider matters at a particular point in time, or in a particular way.
The clause says that the report should take account of any other report on the operation of the Act, mindful of what I have just described—that is, that the ISC, other Select Committees, or Committees of both Houses could bring evidence to bear that would inform that review. In essence, it would be a matter for Parliament to decide precisely what was looked at and when, within the confines determined in the Bill, but it is essential that the Secretary of State is missioned to report on the Bill’s implementation in the timetable described. That is something that legislation can quite properly do; it both gives all kinds of powers to the Secretary of State, and confirms those powers.
While I can see why the hon. and learned Gentleman supports the new clause, it is unnecessary, not because of the intent, but because of the detail. Essentially, we are offering two different models in order to achieve the same end. A parliamentary Committee would be just as independent as a separately appointed reviewer—and it would avoid the argument, which I know Opposition Members would be quick to have, about who should be responsible for appointing the reviewer.
The hon. and learned Gentleman is right to say that, of course, the Secretary of State would want to take into account the views of all those in positions of authority who have taken a view on the Bill and its implementation and effects in her or his report. I certainly would not want to exclude from that consideration any of the authoritative reports published on the Bill. I think that probably meets the hon. and learned Gentleman halfway, and perhaps a little more than halfway.
Any parliamentary review would take evidence from a range of witnesses. It is, again, almost inconceivable that the independent reviewer would not be a key witness, as our current independent reviewer was to the Joint Committee and other Committees of the House. It would—again, as the Joint Committee did—be likely to appoint technical advisers, who would inform the process and work in concert with the ISC. While the Government support a post-legislative review of the Bill, that review should be conducted by Parliament—by legislators drawing on external expertise and evidence, as the Joint Committee recommended. I therefore invite hon. Members not to press the new clause to a vote.
Question put and agreed to.
Clause 222 accordingly ordered to stand part of the Bill.
Ordered, That further consideration be now adjourned. —(Simon Kirby.)
Contains Parliamentary information licensed under the Open Parliament Licence v3.0.