Stephen McPartland

- Hansard -

Copy Link

- - Excerpts

I totally agree with my right hon. Friend’s point. As a Master of Science and Technology, I, of course, have never hacked anything in my life and would never dream of doing so, but it is not a particularly difficult thing to do at the moment. Many people do not appreciate that the measures in the Bill are authorising the state hacking of equipment. Combined with other measures in the Bill, this is not just about hacking the equipment of somebody who may be of particular interest as part of a terrorist organisation; we are talking about every man, woman and child with an electronic device inside the UK. That is where my concerns arise.

Stephen McPartland

- Hansard -

Copy Link

- - Excerpts

I am grateful to my hon. Friend for her intervention, but the reality is that schedule 4 to the Bill will give a range of other organisations the ability to access this power if they choose to do so. For example, the Financial Conduct Authority could do so in circumstances relating to the stability of the markets. A whole variety of organisations will be able to use these powers, not just the intelligence services. Police services up and down the country already use equipment interference to target criminals, for example. A whole range of powers such as these is already being used. I appreciate that the Bill is trying to put them on a statutory footing, and I understand the need to keep people safe, but we have to balance this with resources. Let us remember 9/11 in the United States, when many different agencies and organisations had information but were not sharing it. I believe that we are getting ourselves into a situation in which we will have so much information on so many people that it will be of no value to us whatever. It will be like the internet: you can put anything in, and you get 3,000 pages back.

We need a stronger legal framework if we are going to authorise the state hacking of equipment in the United Kingdom. My amendments 187 and 188 simply seek to ensure that all targets of hacking are properly named or specified. We need a more specific legal framework. Amendments 173 to177 would eliminate the power of the Government to compel third parties to assist in carrying out equipment interference. As the Bill stands, this compelled assistance will not be subject to any judicial authorisation process. The relevant organisations will be able to turn up at a company and say, “We have this warrant, so you now have to help us to hack your devices.” The company will have no choice. Clause 114 contains strict non-disclosure provisions, which are effectively gagging orders that will prevent anyone from being able to say whether they have been involved in such procedures. The Science and Technology Committee documented widespread concerns regarding company compelled hacking and concluded that

“the industry case regarding public fear about ‘equipment interference’ is well founded.”

The draft equipment interference code of practice indicates that no company in the United Kingdom, no matter how small, is exempt from these obligations.

My amendments 196 to 205 are, like the rest, probing amendments to try to get these issues debated and to make people aware of them. They would provide that national security and technical capability notices be subject to a double-lock authorisation by the Secretary of State and the Investigatory Powers Commissioner. I appreciate that new clause 10 and other Government amendments are moving some way towards achieving that, which might make what I am about to say obsolete. I do not fully understand those amendments yet, as I am not a lawyer, as I have said.

My understanding of the Bill as it stood this morning was that only the Secretary of State had the power to authorise a retention notice, a national security notice and a technical capability notice. That was not in keeping with the rest of the Bill, which requires a judicial commissioner to be involved in the review and approval of those areas. Those notices in effect enable the Secretary of State to demand that private companies act as a facilitator, depository and provider of people’s communications. We need independent oversight, and as I have said, the Government have come some way towards establishing that, in new clause 10 and elsewhere. However, technical capability notices will have an impact on UK businesses with 10,000 or more users, in that they will require those companies to build systems to store user data for use by the intelligence agencies, the police and the Home Office. That is what is written into the code of practice.

Looking at the codes of practice, one thing that jumped out at me and which I found very difficult as a Conservative was the fact that the communications service providers—CSPs—will be subject to a technical capability notice. They will have to notify the Government of new products and services in advance of their launch in order to allow consideration of whether it is necessary and proportionate to require the CSP to provide technical capability information on a new service. So, in English, and from a Conservative point of view, that will effectively mean that UK-based companies launching new products will now have to get permission from the state before they can go to market, in order to identify whether or not the state will require an ability to hack those products. Why on earth would a small business launch a new service here in the United Kingdom if those conditions remain in the codes of practice?