Lord Harris of Haringey
Main Page: Lord Harris of Haringey (Labour - Life peer)Department Debates - View all Lord Harris of Haringey's debates with the Ministry of Defence
Investigatory Powers Bill
Lord Harris of Haringey ExcerptsTuesday 11th October 2016
(7 years, 6 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 62-I(Rev)(a) Amendment for Report, supplementary to the revised marshalled list (PDF, 51KB) - (11 Oct 2016)
Lord Paddick (LD)
My Lords, Amendment 13 is also in the name of my noble friend Lord Strasburger. In Committee, we moved an amendment that would have triggered implementation of the Privacy and Civil Liberties Board that the Liberal Democrats in the coalition Government insisted was part of the package of measures included in the Counter-Terrorism and Security Act 2015. We withdrew that amendment but the Government have failed to give us any hope that it will be accepted. At this stage we are introducing a new amendment to establish an alternative Privacy and Civil Liberties Board based more closely on the well-regarded American model.
In the United States the Privacy and Civil Liberties Oversight Board is an independent, bipartisan agency within the executive branch. It comprises four part-time members and a full-time chairman, and the board is vested with two fundamental authorities: first, to review and analyse actions the executive branch takes to protect the nation from terrorism, ensuring that the need for such actions is balanced with the need to protect privacy and civil liberties; and secondly, to ensure that liberty concerns are appropriately considered in the development and implementation of laws, regulations and policies related to efforts to protect the nation against terrorism. We want a similar body in the UK, and we are not the only ones who do. The Prime Minister, when Home Secretary, committed the Government to,
“ensure we have more transparency from Government”,
which we are doing through this Bill. She continued:
“We will also reduce the number of bodies that are able to have access to the communications data”,
which, again, we are doing through this Bill, and,
“establish a privacy and civil liberties board based on the US model”.—[Official Report, Commons, 10/07/14; col. 472.]
It is only the latter commitment that this Government have failed to fulfil and which this amendment seeks to address. Noble Lords will see that the wording of the amendment seeks to reflect as accurately as possible the American model, which is widely seen as a world-class example of its kind.
Lord Harris of Haringey (Lab)
Is the noble Lord therefore saying that the American approach to this matter is totally protective of civil liberties?
Lord Paddick
My Lords, I am saying that the American model provides significant safeguards, in that somebody represents the side of privacy and civil liberties in the argument; it is not simply a case of the security agencies’ side being put, as perhaps some might see in this country.
Unlike the previous amendment, this amendment does not seek to replace the Independent Reviewer of Terrorism Legislation. On the contrary, noble Lords will see that the independent reviewer must be consulted on the appointment of members of the board. This is complementary to, not a replacement for, the Independent Reviewer of Terrorism Legislation. The current reviewer, Mr David Anderson, has previously argued that the post of independent reviewer is under-resourced and that it does not cover a wide enough range of laws. He said:
“If appropriately staffed and directed by the Independent Reviewer, the proposed new body could sharpen that investigative function and increase its scope”.
I accept that Mr Anderson also has concerns, and no doubt my noble friend Lord Carlile of Berriew, his predecessor, will tell us that he too has concerns. However, it continues to be the view of the Liberal Democrats—
Lord Paddick
My Lords, I am very grateful to those who contributed to this debate. As far as my noble friend Lord Carlile of Berriew is concerned, I am not familiar with the Patriot Act but I know that the Privacy and Civil Liberties Oversight Board has made a significant difference in redressing the balance of some laws in the United States. Even though the noble Baroness, Lady Buscombe, spoke to members of that board and asked whether the Government must listen to it, the fact is that the Government in America did listen and acted on some of the board’s recommendations.
Clearly, these people would need to be security vetted. They will be appointed by the Secretary of State, who could impose whatever conditions she thought fit on those people.
On sloppy drafting, I am afraid it is that no more than three members of the board should be of the same political party rather than that three members should not be of any political party, which is what I think my noble friend suggested.
Lord Harris of Haringey
I am sorry to interrupt the noble Lord again, but could he clarify what that phrase is intended to mean? The way I, and I think my noble friend, read it is that, of a board of five, three can be of the same political party. Is the noble Lord saying that it is in the interests of civil liberties and all these other things to have a board of which three members are from the same political party—presumably the government party? Will that really then be an independent board?
Lord Paddick
The fact is that it is up to the Secretary of State to appoint those members to the board. One would hope that the Secretary of State would use the freedom provided by this amendment to ensure that the board is balanced. As with the noble and learned Lord, Lord Keen, I also have my brief. However, on this occasion it would be disrespectful to the House to press this amendment to a vote. Despite my brief, I beg leave to withdraw the amendment.
Lord Harris of Haringey
Main Page: Lord Harris of Haringey (Labour - Life peer)Department Debates - View all Lord Harris of Haringey's debates with the Ministry of Defence
Investigatory Powers Bill
Lord Harris of Haringey ExcerptsMonday 17th October 2016
(7 years, 6 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 62-III Third marshalled list for Report (PDF, 153KB) - (17 Oct 2016)
Lord Harris of Haringey (Lab)
My Lords, I am sure that the entire House is grateful to the noble Lord, Lord Paddick, for giving us a comprehensive list of ways in which we can try to keep our communications secret and away from prying eyes. I am sure that every Member of the House is grateful for that tutorial, but the noble Lord does rather elide the question of those people who perhaps have not had the benefit of his tutorial. I realise that the whole world of terrorism and organised crime is listening with intent to every word that he says on these matters, but there will be such. He gave a specific example, saying that communications data in the past would have demonstrated that X had contact at a travel agent. When I book train tickets, I usually do not use WhatsApp or a VPN—I simply go online and connect to the relevant train company. So if somebody wanted to find out whether I had been booking a train ticket, my internet connection record would provide that information. I therefore do not quite understand the argument that, because there are ways that you can avoid the state knowing what you have done if you are really determined, you should therefore prevent it knowing what you have done if you are not really determined.
My understanding is that not all terrorists and not all organised criminals are terribly good with this stuff—that they make mistakes—so the horrifying consequences that the noble Lord describes therefore might not actually occur, and instead, a lot of very nasty people will be caught, because they do not have the noble Lord’s encyclopaedic grasp of ways of keeping communications secret.
Lord Strasburger
Amendment 118A seeks to prevent the creation and collection of internet connection records. My noble friend Lord Paddick has explained why ICRs are of little security value, and that they would be very difficult and expensive to collect and make use of. The only democracy to try was Denmark, which gave up after years of fruitless effort. It tried again at the beginning of this year with a project almost identical to the one planned by the Home Office, but quickly abandoned it when independent auditors confirmed that it would be prohibitively expensive.
I wish to draw the House’s attention to two other serious drawbacks that would arise from creating and storing internet connection records. The first is the serious impact on the privacy of every user of the internet in this country. We must remember that internet connection records do not currently exist, and until quite recently—say, 25 years ago—all the electronic data that would have to be collected together to create ICRs did not exist, either. In those days, our private interactions with those close to us left no trace. A conversation over lunch, a cash purchase at a shop, a visit to a library to do some research, attendance at a political meeting, a romantic assignation—all left no record of having happened. They were ephemeral. What happened between your four walls was between you and your God.
Fast forward to today, and we find that all the interactions I have just mentioned now leave an electronic trail behind them. A combination of credit card records, location services on our phones, our emails and text messages and records of every website we visit will give the whole game away—including the identity of whom we met at our assignation. If internet connection records are created and kept by our service provider, all these electronic trails will be available to hundreds of public authorities, not just the police and security services, on demand and simply by self-authorisation.
The Government have given this data the name “internet connection records”, which is technically accurate, but what they really are is private activity records: a log of everything we do and when and where we do it. The problem is not that the surveillance can occur at all, but that it happens indiscriminately to all of us, all the time. My second topic is the ironic fact that ICRs will actually reduce our security, rather than improve it, because of the virtual certainty of thefts of some of that private and personal data about every internet user in the country. If you do not believe me, consider just a few of the thousands—and I mean thousands—of recent data thefts from high-security establishments. I mentioned in Committee that SWIFT, the fulcrum of the global financial payments system, has had $81 million stolen from it by hackers. Last week, it emerged that it has been penetrated a second time. A gang of five eastern Europeans is believed to be behind the theft of 3 billion sets of customer data worldwide from many of the world’s leading tech companies, including the data of 500 million Yahoo! customers. As I mentioned earlier, powerful hacking tools belonging to the NSA, the American equivalent of GCHQ, suddenly appeared on the internet in August having been stolen from it, and two Israelis and an American stole 100 million people’s records from 12 US financial institutions. Those are just a few examples—as I say, there are many more—of thefts from sites which, dare I say it, were seemingly far more secure than those of UK service providers.
Internet connection records, or private activity records, will be stolen and the consequences will range from embarrassment to blackmail and fraud for the unfortunate victims. In the case of people in positions of responsibility, including government officials, the consequences could be catastrophic. Far from making us safer, ICRs would compromise our security and, as I have explained, seriously intrude on our citizens’ privacy. We should have nothing to do with them.
Lord Harris of Haringey
Main Page: Lord Harris of Haringey (Labour - Life peer)Department Debates - View all Lord Harris of Haringey's debates with the Ministry of Defence
Investigatory Powers Bill
Lord Harris of Haringey ExcerptsWednesday 19th October 2016
(7 years, 6 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 62-III Third marshalled list for Report (PDF, 153KB) - (17 Oct 2016)
Lord Paddick (LD)
My Lords, Amendment 196A is in my name and that of my noble friend Lady Hamwee. It seeks to remove internet connection records from the type of communications data that can be acquired in bulk. Noble Lords will be very well aware of my views, and the agreed view of the Liberal Democrats, on internet connection records. We believe that they are unnecessary and disproportionate, for the reasons that I have articulated in detail throughout the passage of the Bill.
I shall just remind your Lordships what internet connection records mean. Internet service providers are being forced to keep a record of every website that everyone in the UK has visited in the last 12 months, whether the subscriber is suspected of crime or not. Even though only the first page of each website visited is shown, visiting www.relate.org.uk could, for example, immediately indicate that your marriage was in trouble. However there are some safeguards, including some concessions extracted by the Labour Opposition, to ensure that only the internet connection records of those suspected of crimes that could result on conviction in a sentence of 12 months’ imprisonment or more can be examined by law enforcement agencies.
We are also grateful to the Labour Opposition for securing the review of bulk powers carried out by David Anderson QC, the Independent Reviewer of Terrorism Legislation. We are particularly grateful to David Anderson for highlighting in paragraph 2.41(b), on page 33 of his report on bulk powers, that,
“it is not currently envisaged that the bulk acquisition power in the Bill will be used to obtain internet connection records”.
However, in a footnote at the bottom of that page, Mr Anderson states that he has been told,
“that this is no more than a statement of present practice and intention: neither the Bill nor the draft Code of Practice rules out the future use of the bulk acquisition power in relation to ICRs”.
In Committee, the noble and learned Lord, Lord Keen, said:
“I can confirm to the Committee that the agencies do not currently acquire internet connection records in bulk and have no current intention to do so. It is however important to ensure that we do not legislate against the possibility of internet connection records being acquired in bulk, should agencies make a case which demonstrates that this might be necessary and proportionate in the interests of national security in future”.—[Official Report, 7/9/16; cols. 1087-88.]
Surely we should be legislating for a proven need, not not legislating against a possible but unlikely proven one.
Noble Lords will remember that the security services—GCHQ, MI5 and MI6—have all said that they do not need internet connection records in order to do their work. The power to acquire communications data in bulk, including the power to acquire ICRs in bulk, is available only to those agencies. The power to acquire internet connection records in bulk is therefore not needed. They are not collected in bulk at the moment, and there is no current intention to do so. If this were an opposition amendment to include ICRs in bulk data acquisition, the Government would quite rightly say it was unnecessary. The power to acquire ICRs in bulk also strips away all the safeguards that are in place when law enforcement agencies apply for individual internet connection records.
This is the online equivalent of Section 44 of the Terrorism Act, which allowed the police to stop and search people without any reasonable suspicion. The former Home Secretary, now the Prime Minister, Theresa May took that power away from the police because she considered it disproportionate.
Lord Harris of Haringey (Lab)
Surely Section 44 was for target hardening and deterrence rather than for any other purpose.
Lord Paddick
I am very grateful to the noble Lord, Lord Harris, but that is not what I understood Parliament’s intention was when the legislation was enacted. We can argue the point. If the analogy with stop and search sounds familiar to noble Lords next to me, including the noble Lord, Lord Harris of Haringey, it is because it is an analogy that was used by the shadow Home Secretary Diane Abbott in describing the powers under the Bill, which she describes as draconian.
The pieces of this legislative jigsaw are beginning to fall into place. Telephone operators already keep a record of the details of every phone call made and every text message sent. Internet service providers are being forced by this Bill to keep a record of every website, you, I and everyone else in this country have visited over the previous 12 months, which is a provision this House agreed to on Monday in a Division when it rejected the Liberal Democrat amendment to prevent it. A request filter, operated by or on behalf of the Government will be constructed. It will have direct feeds into the databases of communications providers, including access to the sensitive personal information of every subscriber to telephone and internet services in the UK, every call they make and every website they visit. The House agreed to that provision in a Division on Monday when it rejected the Liberal Democrat amendment to prevent it. The power is then given by this part of the Bill to allow all that sensitive personal information—details of every phone call made and every website visited—to be downloaded at will by the security agencies with no further authorisation. I hope that at least some noble Lords are feeling uncomfortable at that prospect. Our amendment removes internet connection records from the data that can be acquired under a bulk acquisition warrant. I beg to move.
“( ) For the purposes of this section, “electronic protection” does not include electronic protection applied directly by the communications device or operating system of the end user which has the effect of encrypting the communications data in transit such that the relevant telecommunications operator does not have a means to access the associated communications data or content.”
Lord Harris of Haringey
My Lords, noble Lords who have followed my limited contributions to the Bill will know that I take a fairly robust approach in support of what the Government seek to do in it. Indeed, they may even be slightly perplexed that I have tabled this amendment, which is supported by the Liberal Democrat Front Bench, given the slightly testy exchanges that have occurred once or twice during the passage of the Bill. However, my philosophy throughout has always been clear—namely, that by and large this Bill is needed to update current legislation and to protect the public. However, all the measures have to be tested in terms of the balance that they strike between protecting the public and their potential invasion of privacy. We have debated that issue but in this case the disbenefits I am concerned about are the extent to which what the Government may be trying to do—the Minister will no doubt explain what that is in more detail in a few minutes—under the Bill as drafted will weaken the security that people would otherwise have.
The Bill provides the Home Secretary with the power to require a communications provider to install some sort of technical capability to provide data on request, including where those data would otherwise be encrypted and are therefore not so easily available. The Bill includes an impressive array of safeguards. The Home Secretary is required to apply a series of tests before they make a decision to serve an order on a communications provider, and a process of consultation and discussion has to go forward. Those measures are all designed to ensure that not only is the Home Secretary properly informed in making that judgment but using the power is practical and reasonable. Indeed, the Bill emphasises the importance of the test of something being reasonably practical and technically feasible. I have asked for an explanation of the precise distinction between reasonably practical and technically feasible. I accept that there may be a distinction.
A whole series of tests applies under those circumstances but we do not know how those tests might be applied in future or what the Home Secretary might decide. Therefore, we cannot know how a future Home Secretary, or the present Home Secretary, would interpret what is and is not practicable and reasonable. In particular, we face an ambiguity—at least I think there is an ambiguity here—over what it will mean for end-to-end encrypted services. End-to-end encrypted services allow an end-user to send a message via a particular service which can be opened and read only by the person to whom it is sent. That is an important reassurance which we would all like to have in terms of our private communications. The company that conveys that message to the other person—the company in the middle—has no ability to see that message. The communications provider has provided that as a service because it is believed that that is what customers want.
Not all communications providers do that. Some provide a service where it is clear—it says so on the tin—that they will have the option to be aware of what is in the message because they use that to sell advertising. However, not all communications providers operate on that basis. The purpose of that encryption arrangement is to ensure that the data are protected by means of encryption against outsiders looking at them. The encryption key is held only by the person who sends the message and the person who receives it. Nobody else in between has that capacity. The potential implication of that is that the communications provider cannot find a way to discover the content of such a message, even if it wanted to and even if required to do so by the Government.
Lord Rooker
My Lords, if I could be convinced that the same rules applied everywhere on the globe—because we are talking about a global function—in respect of the rule of law, freedom, transparency and privacy protection, then I might have a bit of sympathy with the business operators, as we will call them.
I had the privilege of being among those serving on the RUSI panel. We had a discussion with the providers, but they did not all want to come and sit round the table at the same time—I recall two or three sessions—because they are competitors. We put it to them—it was not original; it had come up elsewhere—that not one of these companies, whether Apple, Google, Facebook, Twitter, Yahoo or Microsoft, would ever have been able to start what is now their global business in countries such as Russia, Iran and China. Yet they have become global and make enormous profits, although I will not go into the issue of them paying their taxes.
These providers hide behind the fact that the countries where they are able to start and function have the rule of law and are democracies where you can challenge Governments in the courts and get redress, yet they then go and operate in countries where they cannot do that. If they all said, “When we operate in China, we’re going to produce all our phones fully encrypted, exactly as we do for everybody else. The Chinese Government are allowing us to close end to end. They don’t want to know what their citizens are saying”, then fine, but I do not believe that that is the case, and that is part of the problem.
My noble friend Lord Harris touched on the issue of other Governments, but we can legislate only for the UK. I fully understand that, yet half of an email sent from my office upstairs to a colleague here might be split and end up travelling through the rest of Europe or America or half-way round the world. That is how the system works. Just because you are emailing someone in this country from within this country, you cannot guarantee that the entire message will stay in this country while it is being whizzed round the world. The system does not work as I originally thought it did. So we can legislate only for this country and messages get split up around the world.
The fact is that the business plans and business operations of these companies depend on open, transparent and democratic countries with the rule of law, yet they are willing to work in countries where there is no rule of law and where there are corrupt regimes, such as in Russia, or undemocratic regimes, as in China. These are countries with huge populations and the companies can do business there according to a different business plan from the one that applies here. From the point of view of those who are there to protect us, that has to lead to a suspicion that at some point we might need a bit more information than we have and that we might need to ask for that to be provided.
I take second place to no one on the protection of privacy, but the fact is that you cannot discuss this issue just in the context of the UK or Europe; it is global, and the rules do not apply equally across the globe. If we take that on board, I think we ought to have a fair degree of sympathy with how the Government will operate these measures.
I have listened to other people and have read more about this matter since finishing our work on the RUSI panel, and the fact is that there is a great reluctance to have these powers. In a democracy there is an incredible reluctance for private information to be treated in this way, but at the end of the day there will be proportionality and our people will be tested on the need for these powers. One of the raisons d’être of the Bill is to put in second and third checks, so those with the powers will be watched and the watchers will be watched, and that is how we can give the public confidence. I do not think that we ought to write the Bill to suit the business operators’ original business plans, because they are not implementing them on an equal basis across the globe. Therefore, I hope that the Government will reject these amendments.
Lord Harris of Haringey
Before my noble friend sits down, to be honest I think that he has slightly misunderstood the point that has been made. I am not putting this forward because of the business models of particular companies; I am proposing it because of the inherent weakness that could conceivably be created. His argument, if I understood what he just said, is that because Russia or China may require, or may force because the business there is so valuable, a communications service provider to put in one of these back doors, therefore we need to have the same facility. The point is that, because it is a global provision, if a back door is built in—because Russia or China or wherever else has demanded it—then a technical capability notice would operate because the operator would have that existing facility. That is precisely the circumstance in which a technical capability notice could be served. This amendment seeks to exclude a requirement from our Government that it should be created at our behest, which other people would then use.
Lord Rooker
I take on board what my noble friend is saying. I fully accept the distinction he makes but, basically, although I am a customer of some of these companies, I do not trust them—they will tell us that this has been built in and is secure, but do deals with those other regimes.
Earl Howe
We come back to the test of reasonable practicability here. I am about to come on to what the Bill does not provide for on encryption and I hope that this will help the noble Lord.
The Bill does not ban encryption or do anything to limit its use. The Bill will not be used to force providers to undermine their business models, to create so-called back doors or to compromise encryption keys. It will not be used to prevent new encrypted products or services from being launched and it will not undermine internet security.
Lord Harris of Haringey
I am very grateful for the detailed exposition that has been given. The Minister says that the Bill will not be used to do those things. Can he confirm that it cannot be used to do those things?
Earl Howe
My Lords, some noble Lords have suggested the Bill’s provisions cause a weakening in encryption, which I think is the central point that the noble Lord is getting at. Many of the biggest companies in the world rely on strong encryption to provide safe and secure communications and e-commerce, but retain the ability to access the content of their users’ communications for their own business purposes, such as advertising, as we have heard. These companies’ reputations rest on their ability to protect their users’ data. This model of encryption can, and does, maintain users’ security. I do not think that anyone would dispute that.
Before I come on to the individual amendments, it would be helpful to address a number of specific points that were raised in relation to encryption. There was a suggestion that a company should never be asked to do something that it does not already do. Such an approach would of course, at a stroke, remove our ability to use any of the powers in the Bill, including carrying out any interception of terrorists’ and serious criminals’ communications, because companies do not do this in the normal course of their business.
There was a suggestion that equipment interference would do away with the need for these provisions. It will not. Equipment interference is no substitute for having a company’s assistance. Even if it were, there are only a very small number of very clever people who are able to carry out equipment interference. There will never be the capacity to deploy them on each and every operation.
Finally, there was a suggestion that encryption is not a problem for the security and intelligence agencies. The heads of those agencies have repeatedly made clear that ubiquitous encryption is one of the most difficult challenges they face.
I now turn to the individual amendments, because I hope that this will clarify the picture further. Amendment 251 seeks to preclude an obligation to remove encryption from being imposed under a technical capability notice in relation to end-to-end encrypted services. I hope that the points I have already made make clear why the proposed amendment is not necessary and indeed why it is not desirable. As I have set out, the Government recognise the vital importance of encryption. Nothing in the Bill does anything to limit its use, and that of course includes the use of end-to-end encryption. But I have also set out the dangers of creating a guaranteed safe space online for those who would seek to do the public harm such as terrorists and other serious criminals, and I am afraid that that is exactly what this amendment would do. The amendment seeks to make explicit provision in law for there to be certain online services that criminals can use to go about their business unimpeded with no fear of being caught. That is not a position that any responsible Government or, I hope, Parliament could support.
What we must ensure is that the Bill enables us to work collaboratively with individual telecommunications operators to establish what steps are reasonably practicable for them to take, considering a range of factors including technical feasibility and likely cost. Any decision will have regard to the particular circumstances of the case, recognising that there are many different models of encryption, including many different models of end-to-end encryption, and that what is reasonably practicable for one telecommunications operator may not be for another.
As I have already said, this is not about asking companies to undermine their existing business models; it is about working with them to find a solution to ensure both that their customers’ data remain secure and that their services cannot be exploited by individuals who pose a threat to the UK. So in answer to the question put by the noble Lord, Lord Harris, I can confirm that these provisions cannot be used to introduce back doors or undermine internet security.
Earl Howe
We already have a wide range of safeguards which I have listed. I do not see that it is necessary to go down the road the noble Lord is advocating because of the dangers that I have pointed out. These amendments would create safe spaces which I am sure that neither he nor any noble Lord would desire to occur.
Lord Harris of Haringey
My Lords, I am enormously grateful to the noble Earl for his detailed response and for reiterating the welcome and voluminous safeguards that are set out in the Bill. They are important and valuable, and they give me confidence about the context of the whole Bill. However, the argument with which he concluded does not quite hold together and there is an elision between different issues. The noble Earl has given an absolute assurance, I think on the basis of a piece of paper that was handed to him, that it cannot be used to require a communications service provider to build a back door or to create one in a future area. But then he said that we must not put in the Bill something that creates a safe space. Either the Government’s position is that this cannot be used to require a company to produce a back door, in which case the safe space exists and presumably the Government are not happy with their own legislation, or it is the case that the Bill could require a communications service provider to build such a back door.
We have already heard from the noble Lord, Lord Evans of Weardale, that what we are trying to do here is balance two national security concerns: the national security concern to prevent terrorism and so on and the national security concern about making it slightly easier for cybercriminals. These are very important issues. If the Government are clear that, as a result of the Bill, a technical capability notice could not require an operator to build a back door that would otherwise not exist, it is important to set that out in the Bill. If we are in a position where techUK says—as it has in the briefing it circulated to me and, I am sure, to other noble Lords—that this is ambiguous, perhaps it is the responsibility of the Government to remove that ambiguity and make the position clear. I do not really want to have to divide the House on this matter, so between now and Third Reading, is the noble Earl prepared to turn the unequivocal assurance he has given that it cannot be used in this way into an amendment to the Bill that will remove that ambiguity?
Earl Howe
With the leave of the House, I hope I can help the noble Lord on this because I do not believe that the Bill is contradictory. First, the term “back door” has been used, but I do not think that is a helpful or accurate way of describing the Bill’s provisions. “Back door” is in everyone’s judgment a loosely defined term. It is used incorrectly to imply that the Bill would enable our law enforcement, security and intelligence agencies to gain unrestricted access to a telecommunications operator’s services or systems, thereby undermining the security of those services—to force that to happen. That is absolutely not the case. The Bill enables our agencies to require telecommunications operators to remove encryption themselves, only in tightly defined circumstances: where they have applied the encryption themselves; where it has been applied on their behalf; where it is reasonably practicable for them to remove it; and where doing so is required to comply with a relevant warrant, notice or authorisation.
I come back to the point I made earlier. This is about the Government being able to sit down with companies and reach agreement with them on the basis of what is reasonably practicable, affordable and so on. It would not be responsible for any Government to deny themselves the possibility of doing that and discussing what in all the circumstances is reasonably practicable for the company, and for the company to agree to do it.
Lord Harris of Haringey
Again I am grateful to the noble Earl. I do not think anyone here has misunderstood the point that this is not about giving the Government uninterrupted access. It is about requiring companies to create a facility so that if they are asked, after all the suitable warrants have been gone through and all the safeguards have been fulfilled, to gain information and pass it back to the Government. I accept that that is the position and that is what is intended here. However, the Minister has still not been unequivocal on whether technical capability measures could require such a facility to be created, so that, in those circumstances and with all those safeguards in place, something could be done. It is a critical issue that we need to clarify. Otherwise, we do not know where we stand as far as the amendment is concerned. The Minister needs to provide the House and the IT industry with as much clarity as he can on this point, because the danger is that it will become the subject of continual argument.
Were the Bill to be amended by any of the amendments in this group, the Government would still have the option to say that they were minded to serve a technical capability notice on a particular company. That would then trigger a series of discussions, because it is what the Bill provides for, and a communications service provider might come back at that point and say, “Look, we literally cannot do it. We do not have the facility”. However, it is not clear whether the Government could none the less say, “Well, we understand that, but we are requiring you to do it”. The question then is: what is or what is not feasible? I happen to believe that some of the biggest communications service providers in the world have more computing expertise than any nation state. If they are told, “You are legally required to do this”, they could do it; they could find a way of making it happen. We have to be explicit as to what the Government’s expectation is. Are they saying, “No, that is not what we are requiring”, or are they saying, “Well, we might”? If they are saying, “We might”, that clarifies the position, if not helpfully. If they are saying, “No, we are not”, which is what the Minister said earlier, perhaps we could put that in the Bill—if not in the form of words proposed, then in some form of words that the Government could craft between now and next week. That would be a helpful way forward and provide absolute clarity as to the extent to which technical capability notices could be served. If I am not able to get that assurance from him—I appreciate that bits of paper have been flying backwards and forwards between him and the Box—we are in a very difficult position.
Earl Howe
I can state categorically to the noble Lord that it is absolutely not the case that the Bill would force a company to insert a back door, thereby undermining internet security. We might ask a company in certain circumstances to decrypt particular data if it was reasonably practicable and feasible for them to do so.
Lord Harris of Haringey
My Lords, I understand that that is the case; that is, if they have the encryption key—we will not use “back door”; we will find another form of words—and the capability to do it, and it is not too complicated and all the relevant warrants are in place, yes, they will do that. As I understand it, most tech companies are perfectly understanding of that and willing to do it. The question is whether, if the Government were presented with a situation they were concerned about, they could say to one of the biggest communications service providers in the world, “We are asking you to build something which is not there at the moment, but we’ll provide that facility for those circumstances that might arise in the future when we’ve gone through all the relevant warrants and so on”. I am looking for an assurance from the Minister that that is not sought here, because of the dangers that we have already discussed. If he wishes, I can reiterate the question to give the Minister the opportunity to read the piece of paper that has just arrived.
Earl Howe
Of course, a technical capability notice can require a new capability to be built; that is what they are there for. If it was neither practicable nor feasible, they would not have to do it. The problem here is that it is very difficult to generalise, because any decision about these things would have to have regard to the particular circumstances of the case. As I said, there are many different models of encryption, including many different models of end-to-end encryption. Any decision has to recognise that what is reasonably practicable for one telecommunications operator may not be for another. That is why I have referred repeatedly to the need for the Government and industry to have that easy interchange which they do at the moment. It is important to emphasise that these powers already exist in law today. We should not do anything that undermines the basis for the constructive discussions that we are having.
Lord Harris of Haringey
The Minister reminds us that the ideal arrangement is one of easy interchange and discussion—I understand that that carries on and works very well. He is right to say—this is why the wording of the current legislation is ambiguous and therefore a problem—that building a technical capability could mean simply putting in a piece of equipment, which means that, at the point at which the Government ask, having gone through all the voluntary processes, it is quite a straightforward matter to provide the information that the Government have legitimately and lawfully requested. That is one definition of technical capability.
What I want to know is whether “technical capability” could apply to a very secure end-to-end encryption process which no communications service provider could break but where, if they devoted thousands of person hours in California or wherever they operate from, they could develop something which might do that. If that is what the Bill is saying, we need to know.
Lord Harris of Haringey
I accept that it would not be reasonably practicable; it would also be very expensive—as I understand the Bill, the Government would have to pay for it and I am sure that technical experts in California or wherever might be very expensive. If that is the case, and if it is not possible to write it into the Bill—I would have thought it could be—it would be helpful for the Minister to write and make very clear what the Government’s intentions are in that regard and confirm that such circumstances are precluded by the Bill. If the Minister is prepared to do that, I am prepared not to press the amendment to a vote.
Earl Howe
I think I have made the Government’s position as clear as I possibly can and I am not sure what I can do to amplify the remarks I have already made. While I want to be as helpful as possible to the noble Lord, I am struggling to see how a letter from me would make the position clearer.
Lord Harris of Haringey
I understand the Minister’s dilemma and I am sure that a letter from him to me would have far less force than the words appearing in Hansard. I appreciate that the courts can look at the debates in Hansard to try to interpret them. However, I ask that the Minister spends the next few days just thinking about some further modification to the Bill to make sure that this ambiguity, which I think genuinely exists—because techUK tells me so—is cleared up. On the basis that I am sure he will spend his waking hours between now and next Monday thinking about precisely these matters, I beg leave to withdraw the amendment.