Stella Creasy
Main Page: Stella Creasy (Labour (Co-op) - Walthamstow)Department Debates - View all Stella Creasy's debates with the Home Office
Investigatory Powers Bill
Stella Creasy Excerpts(8 years, 1 month ago)
Commons ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Mrs May
With a degree of prescience, my right hon. and learned Friend refers to the very next issue that I will address in my speech. I was going to point out that I know some right hon. and hon. Members have scrutinised the language in the Bill and have raised exactly that issue. I want to be absolutely clear: under the Bill, it will be for the judicial commissioner to decide the nature and extent of the scrutiny that he or she wishes to apply. Crucially, I can reassure right hon. and hon. Members that commissioners will have access to all the material put to the Secretary of State. The judicial commissioner will look not just at the process, but at the necessity and proportionality of the proposed warrant.
Mrs May
I have to say to my right hon. and learned Friend that that will not be the case. The point is that it is important that the Secretary of State and the judicial commissioner make decisions on the basis of the same information being available to both of them. If the judicial commissioner decides that there is not enough information available, he or she would presumably refuse the warrant. It would be open to the Secretary of State to appeal to the Investigatory Powers Commissioner to look at the warrant again, or if the warrant is refused in such a circumstance, the Secretary of State might themselves say, “Take the warrant back, put in more information and resubmit it.”
Joanna Cherry (Edinburgh South West) (SNP)
Will the Home Secretary give way?
Mrs May
I will come on to talk about the bulk warrants, but it was clear from the Committee reports that the powers in the Bill are necessary. The ISC raised a question about the bulk equipment interception warrants, but, following that, the Government have produced further information on all bulk cases. We published some case studies and examples of how the powers would be used alongside the redrafted Bill.
Stella Creasy
May I take the Home Secretary to the other end of the telescope, as it were, on this matter? One of the concerns people have about a general access point is not about the warrants, but about the notion that, especially online, we can separate contact and content data. The idea is to allow access to contact data, but that will inevitably be blurred with content data online. Does she accept that there is a challenge in separating contact and content data, which could give rise to some people’s concerns about general access to information? Looking at somebody’s internet correspondence is not the same as looking at a record of their phone calls.
Mrs May
I know that that issue was raised when the draft Data Communications Bill was considered and has been raised in relation to the internet connection records power in this Bill, but such a separation is absolutely possible. We have talked at length with companies about being able to separate, for internet connection records, the websites that a particular device has accessed from the content of whatever has been looked at. It is very important for me to make it clear that when we talk about ICRs, we are talking not about looking at people’s web-browsing history, but about looking simply at the initial point of contact.
In relation to the authorisation process, which we have discussed in relation to the questions asked by my right hon. and learned Friend the Member for Rushcliffe (Mr Clarke), I welcome the Joint Committee’s clear endorsement of the double lock regime and, specifically, the language of the Bill on that point. Right hon. and hon. Members who think that the senior judiciary will simply rubber-stamp Government decisions have clearly never dealt with British judges.
In the case of urgent warrants, the provisions have been tightened in response to the pre-legislative scrutiny.
Stella Creasy (Walthamstow) (Lab/Co-op)
A comment often made to explain why political events go on for so long is that, although everything that needs to be said has been said, not everybody has yet said it. In the spirit of trying to offer something different to this debate, I want to speak as a member of the Science and Technology Committee, which we might call Parliament’s geek squad, and raise a third set of concerns about the Bill as it currently stands.
Members have already talked about proportionality and people’s concerns about the balance between security and liberty, about the challenges of extra-jurisdictional legislation and whether, in a global world, we can pass national laws that make sense. I want to add concerns about the technical aspects of the Bill and, frankly, about whether it will work. Is this legislation designed for digital natives who are comfortable with the modern world, or has it in fact been designed by what we might call digital refugees—people who run away from the reality of the modern technical advances with which we are trying to deal?
All of us have had the experience of trying to explain to a person aged under 20 that, no, we could not google our homework when we were at school. Many of us may have jumpers that are older than the internet, which has fundamentally changed our lives. In this country, a third of all divorces contain a reference to Facebook, a technology that came into our lives only in 2007, but has fundamentally transformed that most personal of relationships. When we come to thinking about legislation that takes account of modern technologies and the ways in which they change, such legislation must be based on an understanding of those technologies and of the consequences of such changes to the law.
With that in mind, it was when the Committee looked at the question of surveillance, especially internet connection records, that concerns arose. Concerns arose in particular about the idea that, as the right hon. Member for Sheffield, Hallam (Mr Clegg) said, a dragnet could be used to bring together internet connection records for every single member of the British population for 12 months, and about what that might entail.
There is a fundamental challenge at the heart of the Bill about the idea that it is possible to separate somebody’s contact data from their content data. Many internet companies have made that point and said that they are concerned about such a definition. As yet, the legislation has not completely grappled with that definition. The Bill makes a distinction between identifying IP addresses and being able to know whom people have contacted, and what it calls anything else that
“might reasonably be considered to be the meaning…of the communication”.
That definition makes sense when we are talking about phone records, but the legislation has to cope with the world to come, not the world that has gone. If I send a message through Outlook, others do not need to know the content of the message to know that it is a request for a meeting. When we talk about knowing which websites people have visited, that of course brings with it content analogies: if I visit the Refuge website or the Alcohol Concern website, that is contact data, but because it is online contact, by its very nature it carries content information.
I very much welcome the shadow Home Secretary’s comments about our needing to challenge such definitions. We need a much tighter definition of what it means to have an internet connection record and of what information is held as part of that record. All three of the Committees that have looked at the legislation have called for that. However, to date, we have not heard from the Government an understanding that in the modern world the distinction between content and contact is not viable. The distinction between entity and events, and everything else, must be much tighter in the Bill. If it is not, the question of who can access that information bleeds into the question of who can access the meaning of those content combinations.
Such questions will become starker as the internet develops, and particularly with the internet of things—I see that a few digital refugees on the Government Benches, and perhaps even some Labour Members, are querying what the internet of things is. It is the growing number of physical objects that are connected online. This Christmas I was given a coffeemaker that I can set off using my mobile phone, and it is wonderful to sit in bed and order several cups of coffee. So far, we have online airbags in cars, online burglar alarms, and some Members might even set their home electricity online. All those forms of contact are created through online mediums. We will soon have pacemakers that are electronically set up. People will be able to access their bank accounts in the same way. All such contact is potentially information that could be created in an internet communication record. It could also be useful in an investigation.
Kevin Hollinrake (Thirsk and Malton) (Con)
With the internet connection record, we are looking for a past history for a future crime. If someone is investigating a child abuser or a terrorist, is it not relevant to see their past records and whether they have accessed sites with relevant material? We would be able to see that from contact information.
Stella Creasy
I am not quite sure about the hon. Gentleman’s point because no one is suggesting that we would not want to access such information. My point is that, from a technical perspective, separating contact data from content data is much more difficult than the Home Secretary suggests. That means that we need more honesty about the powers we are proposing that our police and investigatory authorities should have.
For example, if someone can get information about my use of an electricity meter, they might want to look at the contact between me and that meter. If I were accessing it a lot, they might wonder what I was doing in my home that required so much heat. Drug enforcement agencies might look at such contact patterns, and inevitably that brings with it content about what someone is doing. That does not mean that we do not need methods to access that information; it means that one thing missing from this debate to date is an honesty about the technological complications that will come with this Bill, and we must address those concerns.
The Minister for Security (Mr John Hayes)
Perhaps I can reassure the hon. Lady. The Home Secretary emphasised that we continue to have discussions with the providers for exactly the reasons she has described. It is essential that they can do what we oblige them to do, and we are determined to put those mechanisms in place. The right hon. Member for Sheffield, Hallam (Mr Clegg) gave the game away because he said that repeatedly, over time, security services and the police have requested the ability to carry out such work, for the simple reason that they need to do that in order to protect us all.
Stella Creasy
I am grateful to the Minister for acknowledging that the idea that one can always separate contact from content data is not viable. We need a much more honest debate about who will be able to access that information and under what circumstances. I hope that that will be discussed in Committee, because as the Bill is currently drafted, we cannot justify to our constituents the fact that their content data may be accessed—however inadvertently—because of the nature of technology. We must address that.
Let me move on to the question of honesty about encryption. A lot of technology companies and the technology industry in our economy are concerned about how the Bill may affect encryption. The Bill gives the Secretary of State the power to serve technical capability notices, and to require companies to remove their electronic protection. Again, it is not yet clear what that means, what protection exists in terms of encryption technologies, and what that might mean for other consumers of services. That is a real concern for many.
We know that encryption is a vital part of security for services. Constituents will mention Ashley Madison and TalkTalk, or they may be aware of hospitals that did not have security measures in place and had their systems hacked. We are talking about whether the Government will require those companies to bring in those backdoor opportunities for accessing information. We need much stronger scrutiny of the Bill and of what the encryption process means, not least because removing some of the encryption requirements would create a security risk. The Government are making that choice in return for the ability to do some of the things they are talking about doing, and we need to be honest with the public about that.
There is also a question relating to the security of data. In 2009, the Conservatives made great play of turning back the “surveillance state”, but it seems to me that they are seeking to privatise the databases they told us they did not want to see developed. The Bill asks companies to hold the data, but the security of that data is not clear. We know that having to hold everybody’s internet records for a whole year will be a honeypot to hackers. That will be a massive security risk unless security processes are in place—even if data are held by private companies. The fact that the Government have not clarified who will pay for that security, what a reasonable cost is and how to resolve disputes about what a reasonable cost will be, leaves open a gap that not just hackers but consumers will be deeply interested in. The Government must be much clearer about how they will make sure they protect consumers from having their information hacked as a result of requiring companies to gather data.
There are similar concerns about bulk interference and encryption data, but my central point is this: there are questions about the proportionality and the judicial extent of the Bill and working overseas, but there are also concerns about technology. We have to be able to answer questions on all three issues to be satisfied that the Bill is appropriate for the 21st century. I hope those issues will be addressed by amendments in Committee. I believe that many members of the Science and Technology Committee share concerns about whether our technology industry is comfortable with the proposed legislation.
For the Government to fail to act on any one of those questions will compromise the others. If we do not get the technology right and do not work with our overseas partners, we will not keep anybody safe. We could, in fact, create more problems. I hope Ministers will listen to those concerns and I hope they will recognise the spirit of what they said in 2009 about the importance of rolling back the surveillance state. I also hope they will be digital natives, not digital refugees. I will not support the Bill on Third Reading if they do not change it.