My Lords, the number one priority of any Government is to keep our citizens and our country safe. The Investigatory Powers (Amendment) Bill seeks to make a set of targeted amendments to the Investigatory Powers Act 2016, which I shall refer to throughout as the IPA.
The measures in this Bill will support the security and intelligence services to keep pace with a range of evolving threats against a backdrop of accelerating technological advancements. Such advancements provide new opportunities for terrorists, hostile state actors, child abusers and criminal gangs. They also mean that data is generated in more places, in more formats and by more different entities than before. The security and intelligence services need to identify nuggets of threat in increasing quantities of data.
Importantly, the Bill will also ensure that we maintain and strengthen the world-leading safeguards that underpin the use of the powers in the IPA. The measures in the Bill are narrow and relatively modest in scope, which reflects the strength of the existing legislation, but they are none the less critical to the task of protecting national security and countering other serious threats.
It may be helpful to briefly remind the House of the parent legislation that this Bill seeks to amend. The IPA provides a clear legal framework for the security and intelligence services, law enforcement and other public authorities to obtain and utilise communications, and data about communications. These powers and the resulting capabilities are essential in supporting these public authorities in carrying out their statutory functions, including detecting and preventing terrorism, state threats and serious crime.
But since 2016 the nature of the threats we face has evolved, and we need to ensure that the UK’s investigatory powers framework remains fit for purpose. The use of these powers is underpinned by the IPA’s robust and world-leading safeguards—including the double lock for most of the powers, whereby a judicial commissioner must approve the decision by the Secretary of State to issue a warrant under the IPA. All use of the powers must be assessed as necessary and proportionate, with strong independent oversight by the Investigatory Powers Commissioner. The right to seek redress is available to anyone via the Investigatory Powers Tribunal.
I emphasise that this Bill is about delivering focused and targeted changes to the existing regime and not about creating new powers beyond those to which Parliament has previously given its agreement during passage of the IPA.
This Bill follows the publication of a statutory report on the implementation of the IPA in February this year by the previous Home Secretary, and a subsequent independent review by the noble Lord, Lord Anderson of Ipswich, which was published in June this year. These reports set out the operational case for change and have informed the contents of the Bill. I thank the noble Lord, Lord Anderson, for his considered review of the IPA; he was instrumental in its initial design as the author of A Question of Trust during his tenure as the Independent Reviewer of Terrorism Legislation.
My Lords, I am sure the Minister was referring to me. But, seriously, I thank him for that helpful introduction and for the briefings that he and his officials have organised, including in buildings nearby later this week.
This is an important Bill, and we all need to ensure that it delivers effectively what we all wish for as we seek to defend our country and our freedoms against outside threats. I say to noble Lords including the Minister that we fully support the passage of the Bill, for the reasons that he outlined in his conclusions, and recognise the changed security environment that necessitates the need for this piece of legislation updating and improving the Investigatory Powers Act 2016.
There have clearly been significant changes to the threat picture, with developments that had perhaps not been fully foreseen over the last few years. Of course we have to remain vigilant against any terrorist threat, but even that has been overshadowed by other factors—in particular, the pace of geopolitical change and the extent of its impact on the UK and its people. The invasion of Ukraine, the weaponisation of energy and food supplies, artificial intelligence, the actions of Iran and the more aggressive stance with China in the South China Sea and beyond are just some of many examples. Importantly, this also manifests, as the Minister will know better than anyone, as threats such as economic espionage, the buying of influence, cyberattacks, disinformation and indeed, as we saw, the Salisbury poisoning. In the face of that hostile state activity, we have to change.
I join the Minister, and no doubt many others, in saying that we are very fortunate in having had the extremely helpful—and for me, I might add, understandable—report by the noble Lord, Lord Anderson, to guide us in this. It is also good to see other Members of your Lordships’ House who have extensive experience in this area to inform our debate. In congratulating the noble Lord, Lord Anderson, I shall raise some general points from his report and then deal with specifics as appropriate for a Second Reading debate.
My Lords, it is a great pleasure to follow the noble Lord, Lord Coaker. I look forward to a fascinating and intimidatingly expert debate. Before commenting on the Bill, I feel that it is important to contextualise what we are discussing today.
Many of us enjoy books that depict the intelligence services. In the main, the George Smileys who appear within their covers are practising in a world that is very far from the lived experience of most people in this country. However, the reality is very different. The work of the intelligence services impacts very many people’s lives in the UK. It is not just bombs and guns but drugs, people trafficking and other exploitation, financial and cybercrime, extortion and many other crimes. The perpetrators are Governments, terrorist organisations, criminal gangs and lone individuals. Crime and terror merge and are socially unjust activities that prey on the weak. The victims are most often the vulnerable and those with the least ability to resist. Within this depressing tapestry, we rely on our intelligence services to help keep us safe and we need a police force that can cope with the complexities of those crimes. Liberal Democrats wholeheartedly support the services that seek to do this and we welcome this debate.
We also believe that these vital tasks have to be balanced against the freedoms and liberties at the heart of our country’s values. Every new power must be weighed in that balance and the noble Lord, Lord Coker, just explained that from his perspective. As we have heard, this Bill proposes some specific amendments to the original Investigatory Powers Act 2016. I was not involved in the scrutiny of the Bill at that time; that fell to my noble friend Lord Paddick, and the noble Baroness, Lady Williams, was in the ministerial chair, so it is a new set of eyes looking at this legislation.
I remind your Lordships’ House of some of the key priorities that my noble friends here and my colleagues in the Commons applied to the 2016 Bill. The first of these is that there should be no weakening of encryption. The second is the vital role of judicial authorisation and the third is that, when it comes to the bulk collection of information or mass surveillance, British residents have a right to expect privacy. These principles were central to our response to the last Bill and will be to this.
My Lords, I thank noble Lords who have referred kindly to my independent review of earlier this year, a short sequel to the much longer reviews, A Question of Trust and the Report of the Bulk Powers Review, that I was commissioned to conduct, with all-party agreement, in advance of the Investigatory Powers Act 2016.
Given the controversy surrounding electronic surveillance at that time, in the wake of Edward Snowden’s disclosures, the IPA had a remarkably smooth parliamentary passage—although I say that as someone who was outside Parliament at the time. I put that down to the detailed preparation that preceded that Bill, including reports from the ISC and from RUSI, and of course to the work of the draft Bill committee, chaired by the noble Lord, Lord Murphy of Torfaen, who I am delighted to see in his place. I remember being questioned by its members, including the noble Lord, Lord Strasburger, and Suella Fernandes MP, as she then was. That committee made 86 detailed recommendations, practically all of which found their way into the Act. How much time and testosterone can be saved—and was saved in that instance—by debating these important issues before a Bill is published in final form.
The IPA replicated and, indeed, enhanced the very considerable powers conferred by its predecessor, RIPA, on our intelligence agencies and police. However, its emphasis on transparency and effective oversight, in particular by the judge-led Investigatory Powers Commissioner’s Office—IPCO—with its excellent technical support, brought it into the modern age. I believe we have seen the tangible benefits of that in recent years; I will give three short examples.
The UN special rapporteur on the right to privacy, who had previously described our arrangements as “worse than scary”, reported in 2018 after an inspection visit to the UK that, thanks to the balance struck by the IPA, the UK
My Lords, I too thank the noble Lord, Lord Anderson of Ipswich, for his very helpful and excellent work in his area. With the rapid acceleration of technology and technological capacity, I recognise the need for this Bill to be updated. In this context, I welcome the Government’s sense of urgency in addressing the changing landscape in this area, and seeking to close those gaps that potentially endanger both the security and the safety of our nation. My right reverend friend the Bishop of Leeds had hoped to be here today, as he has taken a particular interest in this area, but he is detained elsewhere. We would both like to express two concerns that we believe must be addressed as this Bill is debated in your Lordships’ House.
First, the proposed amendments give the intelligence services vastly expanded powers not only to investigate individuals but to harvest and exploit vast amounts of personal data—not just of crime or terror suspects but of anyone. The collection of bulk datasets of personal details, including facial images and social media activity, is far reaching and potentially indiscriminate, so we must rightly be concerned about how effective any safeguards might be in controlling the power that such access gives to our intelligence services. The risks, particularly under a regime less ethically aware than those we are used to in this country thus far, are substantial. The weakening of safeguards risks endorsing the need for updating surveillance capacity, at the same time as threatening basic human freedoms.
Secondly, it has become clearer by the day that we are developing technical capacity well ahead of the ethical consideration of risk. Ethical thinking might well be deemed inconvenient by those who wish to forge ahead with greater advances and greater security provision. However, to fail to address ethical considerations now will simply leave us, at best, running fast to catch up later once the train has left the station and is already at full speed away in the far distance—and, at worst, having compromised personal and societal freedoms and having changed the nature of a free society.
That was an interesting speech by the right reverend Prelate the Bishop of St Albans, because he put his finger on the dilemma of any legislation like this: the balance between liberty as a subject on the one hand and the security of our citizens on the other. That has become increasingly complicated as the years have gone by.
As the noble Lord, Lord Anderson of Ipswich, has mentioned, I was asked by the then Home Secretary, Theresa May, to chair a Joint Committee of both Houses of Parliament to deal with the original Investigatory Powers Bill exactly eight years ago this week. She asked me because I had been chair of the Intelligence and Security Committee. We met for about three months and made 86 recommendations, nearly all of which were accepted by the Government. Those recommendations were nearly all about the balance between liberty and security, which the right reverend Prelate referred to. The committee had 57 witnesses, including the noble Lord, Lord Anderson, and 148 written submissions. The process that took place all those years ago was vital for this sort of Bill. For various reasons we have not had that, and perhaps we will come to that in Committee.
That balance is also reflected in the work of government. For example, when I was Northern Ireland Secretary I had to sign warrant after warrant to deprive our own citizens of their liberty. They did not know it, of course, but that is what we were doing. If we had not done so, the chances are that many hundreds if not thousands of people would have perished in Northern Ireland, and indeed in Britain, because of the way in which the intelligence services were able to infiltrate the IRA and the loyalist paramilitaries.
Of course, a major recommendation of that committee was to have a review of the legislation five years after the legislation had been finished in Parliament. We have been very fortunate that the noble Lord, Lord Anderson of Ipswich, has actually conducted that review. I read it on the weekend. It is a lot to read on a weekend—138 pages—but it is, although on a very difficult subject, a relatively easy read for lay people such as myself. It is thorough; it is full of common sense, and it is practical. In the absence of a pre-legislative committee of both Houses, the review has, in a way, replaced that. Without the noble Lord’s review, we might not have the same Bill in front of us as we do now.
My Lords, I apologise before appearing—or, more precisely, not appearing—before your Lordships in this manner, but I understand that there has been a failure in the parliamentary network and I cannot appear in video; it was either by telephone or smoke signals, so I will settle for the phone.
I should begin by declaring my interest as chair of Big Brother Watch, which campaigns for the privacy and freedom of speech of the citizens of our country and seeks to protect them from unwarranted intrusion by the state into their lives and their data. Big Brother Watch has managed to rapidly prepare a briefing for parliamentarians about this Bill, and I commend it to Members of this House. It sets out five areas of concern, which I will cover later in my contribution.
However, Big Brother Watch had to work at pace to complete the briefing for this Second Reading because the Government published the Bill only on 8 November, just eight working days ago. I wonder what the reason could be for this rushed processing. Could it be that the Government want to avoid the thorough examination that this detailed and complex Bill needs? If so, the small number of Members who are ready to speak about it today—just 11, including the Minister—suggests that this strategy might have worked. Therefore, my first question for the Minister is to ask for an explanation of why so little time has been given to prepare for this Second Reading.
I sat on the Joint Committee that carried out the pre-legislative scrutiny of the original Investigatory Powers Bill in 2015 and 2016. The noble Lord, Lord Murphy of Torfaen, whom I am pleased to follow in this debate, was the chair of that committee and a very good job he did too. My view eight years ago was, and still is, that bulk data collection—that is, the interception or collection and indefinite storage of everybody’s innocent internet, phone and computer communication—is a serious intrusion on every citizen’s privacy and requires very strong judicial oversight.
Building on the areas of focus identified in the Home Office review, the noble Lord’s report focused on: the effectiveness of the bulk personal dataset regime; criteria for obtaining internet connection records; the suitability of certain definitions within the Act; and the resilience and agility of warrantry processes and the oversight regime. His review helpfully highlighted several areas in which the IPA could be improved, and we are pleased to say that this Bill aligns nigh on entirely with his recommendations.
Your Lordships may note that there is one area of the Bill that the review by the noble Lord, Lord Anderson, did not touch on: the changes to the notices regimes. This was subject to a separate public consultation, and the Government are grateful to those who responded for helping to shape this element of the Bill.
I will turn now to the main elements of the Bill. Part 1 deals with bulk personal datasets, more commonly known as BPDs, and makes changes to the way in which the intelligence services may use them. Building on the findings of the review by the noble Lord, Lord Anderson, the Bill provides a narrow group of provisions to: create a set of new safeguards for the retention and examination of BPDs where there is low or no reasonable expectation of privacy; allow for the extension of the duration of a BPD warrant under Part 7 of the Act from 6 to 12 months; and make clear that agency heads can delegate certain existing functions in relation to BPD warrants. Under the current regime, all BPDs—including those that are publicly or commercially available—must be subject to the double-lock warrantry process and strict examination safeguards.
While these safeguards are in many cases entirely appropriate, that is not always so, particularly where a dataset is publicly available and widely used. This has a detrimental effect on the agility of the agencies, particularly where these datasets could be used to develop new capabilities. It also inhibits their ability to work flexibly with allies and partners in academia or the private sector.
Creating a new regime for datasets that have low or no expectation of privacy will increase operational agility while ensuring that proportionate safeguards are in place, including prior judicial approval. This change will be an important step in preventing our agencies falling behind our adversaries.
The Bill also seeks to insert a new statutory oversight regime for examination by the intelligence services of third-party BPDs. Under the new measures, an intelligence service may examine a dataset on a third-party’s systems without taking control of the set itself. However, if the dataset is not publicly or commercially available to other users, the new warrantry process and requirements will apply. The regime will be subject to safeguards such as the double lock already in other parts of the IPA.
Part 2 will make changes to the role and remit of the Investigatory Powers Commissioner and their supporting functions. The Bill will enhance the world-leading oversight regime in the Act, including the role of the IPC. The changes will ensure that the regime is resilient and that the IPC can effectively carry out their functions. This will maintain and enhance the robust, transparent safeguards in the regime.
In addition to putting oversight of third-party BPDs on a statutory basis, the proposed amendments to the oversight regime aim to increase resilience and ensure that it remains fit for purpose. As highlighted in the then Home Secretary’s review, the IPA does not provide an easy mechanism to manage change. This has caused issues regarding the resilience and flexibility of the IPC and the wider IPA oversight regime, such as during the Covid-19 pandemic. The Bill therefore seeks to place the ability to appoint deputy investigatory powers commissioners and temporary judicial commissioners on to a statutory footing, to provide resilience where there is a shortage of judicial commissioners.
The Bill will also formalise some of the IPC’s non-statutory oversight functions—for example, their oversight of compliance by the Ministry of Defence of the use and conduct of surveillance and covert human intelligence sources outside the UK. The measures also provide greater legislative clarity in respect of the error-reporting obligations imposed on public authorities. The IPC has been consulted on all these measures and has endorsed the approach to ensuring that the oversight regime remains fit for purpose.
Part 3 makes changes to Part 3 of the IPA, which relates to powers for public authorities listed in Schedule 4 to the IPA to acquire communications data. CD is the data around the communication rather than the content of that communication. Section 11 of the IPA made it an offence for a relevant person within a relevant public authority to “knowingly or recklessly” obtain CD from a telecoms operator or a postal operator without lawful authority. The Bill will set out examples of the acquisition routes that amount to lawful authority. This will provide greater clarity to public authorities that they are not committing a Section 11 offence when acquiring CD from a telecommunications operator under those routes.
The Bill will additionally make targeted amendments to ensure that public sector organisations are not unintentionally prevented or discouraged from sharing data in order to meet their statutory duties and obligations when administering public services or systems. Part 3 also makes a clarificatory amendment to the definition of CD in Section 261 of the IPA, to make it clear that subscriber data or data use to identify an entity will be CD.
Part 3 also makes changes to allow bodies with regulatory functions to acquire communications data. The use of regulatory powers under the IPA is limited to organisations such as Ofcom and the Information Commissioner’s Office for their regulation of telecoms operators. The Bill seeks to amend the IPA to expand the definition of regulatory powers to include public authorities with wider, lawfully established and recognised regulatory or supervisory responsibilities. The effect of this change will be such that authorities will be able to acquire CD using their own statutory powers and not rely on IPA powers. However, where the CD is being acquired with a view to using it for a criminal prosecution, authorities must use their IPA powers to acquire that CD.
Targeted changes will also be made to support the use of internet connection records by the NCA and intelligence agencies. The Bill will add a further condition which allows the service in use and time period to be specified within the application without the requirement that they are unequivocally known. This will enhance the ability of the NCA and the intelligence services to identify serious criminals, including paedophiles and people traffickers, helping to protect victims and counter threats to the UK’s national security.
Part 4 will ensure the efficacy of the existing notices regimes in the face of technological changes and the complex commercial structures associated with the modern digital economy. These measures have been carefully calibrated to address these issues in a proportionate way. Furthermore, the notices regimes have existed since the 1980s, and these reforms are just the latest iteration of that regime. This is not about introducing any new powers. The Bill will create a notification requirement which will allow the Secretary of State to place specific companies under an obligation to inform the Secretary of State of proposed changes to their telecommunications services or systems that could have an impact on lawful access. I wish to be clear that this is not a blanket obligation on the tech sector. It will be placed on companies on a case-by-case basis and with full consideration of the necessity and proportionality justifications of doing so each time.
Furthermore, the notification requirement does not give the Secretary of State any powers to intervene in the rollout of a product or a service or to veto such a rollout. It is intended to ensure that there is time for appropriate consideration of the operational impact and potentially for discussion with the company in question about possible mitigations. This notification requirement has replicated the existing notices standards wherever possible and is itself already part of the wider notices regime, where the Government are able to require companies under notice to inform us of relevant changes which affect their ability to provide assistance under any warrant, authorisation or notice.
The Bill also amends the effect of a notice during the review period. A notice must go through the full double-lock process before it may be issued to a company. On receipt of that notice, a company may request a review of that notice. Currently, the notice has no legal effect during the review period. The Bill amends this to require the company to maintain the status quo during the review period. This will mean that the company does not have to take any steps to comply with elements of the notice, other than to maintain its existing services at the point it is given the notice. The result will be that the company cannot take any action that will negatively affect the level of lawful access for our operational partners during the review period. This is without prejudice to the final outcome of the review and ensures that this outcome cannot be pre-judged.
The Bill also makes a clarificatory amendment to the definition of a telecommunications operator. This makes clear that large companies with complex corporate structures which together provide or control telecommunications services and systems fall within the remit of the IPA. It also clarifies that a notice may be given to one entity in relation to the capability of another entity. It does not seek to bring new companies into the scope of the IPA. Furthermore, the Bill creates a new safeguard for the renewal of notices. This will require a notice to be put through the full double-lock process after two years, if it has not been varied, renewed or revoked in that time.
Finally, Part 5 includes several minor changes to the IPA to ensure sufficient clarity and resilience within the regime. This includes increasing the resiliency of the triple lock, which is the additional safeguard for targeted interception and equipment interference warrants relating to members of relevant legislatures, such as this Parliament. Clauses in Part 5 will allow for the Prime Minister—in the event that they are unavailable—to delegate their responsibility for providing the triple lock to named Secretaries of State. This change is purely about ensuring resilience in the authorisation process and does nothing to alter the existing power or introduce any new power.
I conclude by highlighting the opportunity that the Bill affords us and the impact it will have on the safety and security of the UK and its citizens. Without making changes now, the ability of our agencies to tackle evolving threats—including terrorism, state threats, and serious crime—will be increasingly constrained. In the face of greater global instability and technological advancements, now is not the time for inaction. I welcome the further scrutiny that noble Lords will provide. From looking at the list of speakers, I am in no doubt that they will start with a typically insightful debate today. I beg to move.
It is of huge significance and importance that the noble Lord, Lord Anderson, did not produce a classified annex to his report. In an area of this importance and sensitivity, you obviously need secrecy and confidentiality, but there has to be as wide a public and parliamentary debate as possible. There are real issues of principle being discussed here, not least the right to privacy and the protection of an individual’s information or personal data. As I say, there is a need for the security services, law enforcement and others to act and to have the intelligence tools that they need, but the balance between national security, tackling serious crime and an individual’s privacy should and must, quite rightly, be a matter for public debate. When fundamental rights are at stake, that needs to be cautiously challenged, and this House will need to do that in Committee, while, as I say, fully supporting the overall passage of the Bill.
Chapter 10 of the report asks what comes next. Such is the pace of change and challenge, the noble Lord, Lord Anderson, recommends that, once this amending legislation is on the statute book, we need to move on very quickly to what comes next.
I shall turn to the Bill with some general comments, with the more specific questions coming in Committee. Bulk personal datasets are clearly important, and the Bill will allow a lighter-touch regulatory regime. The threshold will be where individuals have a low or no expectation of privacy in respect of that data. The Bill seeks to set out examples of the sorts of cases where such a regime would apply for the examination of material by the UK intelligence community. I believe there will need to be a careful debate about what such a threshold means. What does “low” mean? Would all such activity be subject to the approval of a judicial commissioner? Some have already expressed particular concern about new subsection (3A)(e), inserted into Section 11 by Clause 11(3), which says that communications data can be obtained
“where the communications data had been published before the relevant person obtained it”.
Does that mean it is available simply by having been published?
On a more general point, how does all this relate to the Data Protection Act, where personal data may be protected but is potentially not so by the new Bill? Big Brother Watch gives the example of the potential concern over Clearview, which has a mass of facial images—approaching 30 billion—harvested from social media. That could be considered a low-privacy database since the photos had been made public by the individuals, but the Information Commissioner’s Office found Clearview in breach of the Data Protection Act. This argument could therefore potentially be extended to many areas, such as Facebook posts, and will therefore need careful scrutiny, along with the more general point about the relationship between this Act and the Data Protection Act.
There are to be new proposals for internet connection records; they are clearly important, but changes are again being made. In particular, on the justification for target discovery—which, in essence, is a more generalised surveillance, if I have understood it correctly—is it the case therefore that there may not necessarily be a need for suspicion to lead to a particular form of surveillance? It is also interesting to note that, according to the report by the noble Lord, Lord Anderson, as I understand it, this extension or facilitation of target discovery for internet connection records should be limited to UK intelligence. So why have the Government extended this to the National Crime Agency as well as to the UK intelligence community? In other words, why has it gone beyond the recommendations of the noble Lord’s report?
The need for the communications of legislators to be secure and confidential—say, in discussing matters with constituents or other bodies—except in the most exceptional circumstances, is of real importance. Following the IPT case in 2015, there was legislation in the 2016 Act that tried to protect this principle by allowing any interception or obtaining of any communication to be allowed only with the so-called triple lock—in other words, after Prime Ministerial authority was given. The question this Bill seeks to answer is: what happens if the PM is, in the Minister’s words, “unavailable”? This seems to me to be a reasonable question to ask. We need to probe Clause 21 carefully and ask whether the inclusion of any Secretary of State is too broad a definition, what the involvement should be of senior officials, as laid out in the clause, and whether the proposed definition is correct. For example, would it not be better to specify the Secretaries of State as the Home Secretary or the Defence Secretary, or other senior Secretaries of State, rather than the broad blanket of any Secretary of State? The senior officials are explained, to an extent, but we need to explore in Committee whether we need to be more circumspect with what we mean by that.
We have also received a briefing from Apple, and it is important for us to reflect on its concerns. As I have made clear, we support the passage of the Bill, subject to proper scrutiny, which we and others will give in Committee, but Apple’s concerns need to be addressed by the Government in a public forum, to ensure trust and confidence in the new system we seek to introduce. Why is Apple wrong to have concerns about pre-clearance requirements?
On extraterritoriality, the noble Lord, Lord Anderson, says on page 57 of his report that he makes “no recommendation” on a policy issue for DRNs or the importance of end-to-end encryption. End-to-end encryption is a key security tool for us all, but it is also one that can be used, and is used, by malicious actors. We understand that, so how do we strike a balance between the necessity for the privacy and protection of an individual’s data and the need for security services and others to have potential access to that data to uncover serious crime or terrorist activity? In Committee, we need to discuss where that balance should be made and where that line should be drawn; it is an important area of discussion.
Throughout the report by the noble Lord, Lord Anderson, and the subsequent Bill before us, we see various adaptions of warrant processes, judicial oversight and the role of the commissioner, with many proposals. While we are generally supportive, we will need to examine these in more detail in Committee, but I have a few general points to raise now. For example, does the Bill help to sort out confusion in government? Incredibly, on page 28 of the noble Lord’s report, the MoD cannot, even when co-located in a hostile environment, transfer some data to the UKIC. Does the Bill sort that out? That is an important question that I put on the table for an answer—not necessarily now, but certainly in Committee.
Domestically, on the same page, we are told that it was a revelation to UK intelligence community officers to see how easily other government departments subject only to normal data protection requirements could access, retain and process bulk personal data. This Bill should not go through without the corresponding changes to policy and practice, highlighted by the above two apparent anomalies. No doubt there are many more. It would be a wasted opportunity were we not to address some of those examples which seem to draw attention to anomalies within the existing system which many of us would expect a Bill such as this to sort out.
Co-operating should not be as difficult as it seems to be. Openness and transparency are crucial so that we can be sure that, as far as possible, the number of various warrants applied for and refused is made public. More generally, what role is there for parliamentary oversight as well as the intelligence commissioner and so on? The Intelligence and Security Committee is our important eyes and ears on this matter. What part will it play in all this? Are its terms of reference, which I have said in other debates are in need of review, sufficient to allow the necessary level of scrutiny? If it is not appropriate for the committee to be involved, where is the parliamentary scrutiny? Where is the mechanism for reporting to Parliament? It would be interesting to hear that from the Minister. Yes, there are various commissioners and there is senior ministerial involvement, but what of Parliament? Parliament cannot be seen in areas as important as this as an afterthought or an irritant. It should be a proper custodian of our values in this difficult area.
I have laid out some of the key issues, although there are many more. I conclude by saying that, as the noble Lord, Lord Anderson, pointed out in his report, we cannot allow the debate to be characterised as being between those who stand up for security, for our country, and who understand what needs to be done, versus a privacy lobby that does not live in the real world. Of course, operational security cannot be compromised and changed threats require policy to be developed. We support the Government in this through the changes which are needed in this Bill. The challenge is to do so in a way that is consistent with our principles of democracy and human rights. Sensible debate and discussion surely will help us towards something that we all want—to build a consensus as far as possible over protecting our nation and allies against those who would do us harm, and not to undermine privacy or freedoms unless it is essential to do so.
Today’s Bill, as we have heard, is the product of deliberation over years. Your Lordships should particularly thank the noble Lord, Lord Anderson, for his work on it. However, given the time taken to get this far, it is very disappointing that the Government chose to introduce the Bill in such a rush that it gave just eight working days for parliamentarians and civil society to prepare for the specific scrutiny of it. If the Government were seeking to ensure that they took people with them, this is a way to antagonise them. There are already comments about haste being an effort to railroad people.
I am afraid my speech today is quite a long one because I did not have time to write a short one. I turn to the Bill. As the Minister set out, the original Bill established a set of protections under Part 7; this Bill introduces two new levels of security, Parts 7A and 7B. Part 7A is introduced in Clause 2 and concerns bulk datasets, as we have heard, with
“low or no reasonable expectation of privacy”.
These so-called low/no datasets may be in three types, each with slightly different rules.
I have enjoyed helpful discussions with the Minister’s department and for that I appreciate his facilitation and engagement. During those discussions, the basic explanation has been that these datasets are needed to train tools using machine learning, that they already exist and are being used in the commercial world, but the Part 7 process makes them at best clumsy and at worst impractical to be used by the intelligence services. I take those points. Furthermore, the introduction to Part 7A includes a requirement for approval from judicial commissioners. Had it not, this discussion would have been much harder.
If training Al tools is the stated prime mover for Part 7A, the inclusion of urgent data as one of the three types of data clearly indicates it is also needed for ongoing investigations. I can imagine why urgent data might be needed, but it is the investigators who will define the urgency. Additionally, new Section 226BC refers to a relevant period of three working days between the acquisition of the urgent data and full judicial approval. Yet, after three days, the judicial commissioner may decline to permit the use of the data that has already been employed in an investigation using rapid Al-enabled analysis.
Taken together, I have my worries. There needs to be a duty to immediately notify the judicial commission. Secondly, there should be guardrails helping define “urgent” and finally we need to discuss how information discovered using data that is subsequently ruled ineligible is, shall we say, unremembered. Without these, the use of low/no datasets in this way for operational issues is concerning.
I have gone into this in some detail because I see it as a serious operational concern but also because I wanted to illustrate the sort of scrutiny the Government should expect from these Benches throughout this debate. There are other examples as we go through the Bill, but I will refer to those only broadly now. Clause 5 introduces a second new category of approval, Part 7B, this time for datasets held in third party assets to which the intelligence services have access. As far as I can deduce, this brings into the orbit of the IPA data which was previously not included and mandates both Secretary of State and judicial commission levels of approval. Unless I learn otherwise, that is a good starting point.
That said, we will seek to initiate explicit discussion around the use of medical, genetic and genomic data and how this can be protected. Here I note that anonymised data can be relatively easily reassigned, so anonymity in health databases is no actual protection. This is important on several levels, not least for public confidence in the digitisation and legitimate use of this very important information.
Part 2 allows the deputisation and delegation of some of the powers to broaden the number of people responsible involved. I just ask whether the Minister believes that this heralds a massive increase in workload.
In Part 3, I thank the Minister for his explanations around Clause 11, which I shall read carefully, and I will be coming back for some more details about how that will work in practice. Clause 14 creates a new condition for the use of internet connection records by the intelligence services and the NCA. Broadly, this removes the need for exact times when seeking connection records, substituting time ranges. This seems acceptable, as long as the Minister can assure your Lordships’ House that this will still require Secretary of State and judicial commission approval.
Part 4 moves into the area of retention notices and away from issues covered by the report of the noble Lord, Lord Anderson. I believe that Clause 15 is focused on bringing inbound roaming on foreign SIM cards into the frame, so I would appreciate details of how this will work. For example, if I am in the UK using a SIM that I bought in Dubai from a UAE-based telecoms provider, how does the intelligence officer proceed?
Clause 20, as we have already heard from the noble Lord, Lord Coaker, is one that has already raised eyebrows in the industry. Proposed new subsection 258A requires telecoms operators to inform the Secretary of State if they propose to make changes to their products or services that would negatively impact existing lawful access capabilities. In reality, this can include changes in encryption, a topic which has recently been on a rocky journey through the passage of the Online Safety Act. This Bill proposes a number of changes, building on the current regime set out in the 2016 Act, that relate to decryption of private messages for law enforcement purposes. In short, we believe the amendments would, or at least could, grant the Home Secretary more extensive powers to intervene in, and in some cases block, communications providers’ operational decisions, including enhancing privacy settings for users, with potential knock-on implications for end-to-end encryption on those services for everyone. I think more debate will be needed in this area.
There are other issues of timing, the possible length of a review, extraterritoriality and the level of judicial commission oversight at the notice level. I am sure I will be told by the Minister that this is a narrow interpretation, but it is an interpretation that has legs outside your Lordships’ Chamber. How will this power be used and what are the implications? Will we perhaps see British law officers beating a path to California to serve these notices? In a sense, how far does this go?
Finally, Part 5 invokes some interesting questions, some of which the noble Lord, Lord Coaker, has already asked and we will surely want to probe. We will want to introduce a requirement that the Investigatory Powers Commissioner is informed of, and records in their annual report, the number of warrants authorised each year to permit surveillance of Members of relevant domestic legislatures. For now, perhaps the Minister could tell your Lordships’ House what the process is for gaining permission to intercept and examine the Prime Minister’s communications.
We will also be probing two other important areas on which there is no time to expand today. The first is specific protections to avoid either cementing or introducing systemic bias against certain sections of the community from the AI models of the future that will be built as a result of this legislation. The second is the use of facial recognition technology on the back of the tools created using the low/no databases, a point that the noble Lord, Lord Coaker, raised.
To conclude, we are concerned that the Bill could push legislation further past the point of balance that we started to discuss. We need to ensure that judicial oversight extends right through the activities enabled by the Bill, and there should be no weakening on the encryption issue. I hope the Minister views this critique in the spirit of constructive support that I have sought to invoke, and I look forward to the rest of the debate and the further stages of the Bill. As he can see, our work will be built on the foundation that British residents have a right to expect privacy.
“can now justifiably reclaim its leadership role in Europe as well as globally”.
The English Court of Appeal overwhelmingly rejected an extensive series of challenges to the IPA in August this year, citing the authority of the European Court of Human Rights, which, rather more than the EU’s court in Luxembourg, has shown itself impressively ready to accept the use of bulk collection powers, properly safeguarded.
In addition, judicial approval of warrants, introduced here by the IPA but long familiar in North America, was instrumental in securing our data access agreement with the United States—a world first, which, given the American ownership of so many big internet platforms, is of particular significance to law enforcement on this side of the Atlantic.
Therefore, the IPA has been good for this country, including by helping to secure the international acceptance and co-operation that are ever more essential to the fight against organised crime and threats to national security.
However, the Minister is right to say that in limited areas, the IPA is in need of what I call running repairs. The Home Office invited me earlier this year to look at some of those areas which it had identified as in need of attention. Other parts of the Bill, including elements of Parts 1, 3 and 4, fell outside the scope of my review. In my report published in June, I largely accepted the Home Office diagnosis, although my prescriptions were in some respects different from its. In particular, in relation to the bulk dataset issues that occupy Part 1 of this Bill, I thought it important that the borderline between Part 7 and the proposed new Part 7A of the IPA, concerning datasets in which there is a low or no expectation of privacy, should be patrolled at the moment of decision not just by the intelligence agencies themselves but externally by independent judicial commissioners.
Since my report was submitted in April, there has been a convergence of views on this issue and on others, one of them in relation to the NCA and Clause 14, which was touched on by the noble Lord, Lord Coaker. I am grateful to the Security Minister and to the noble Lord, Lord Sharpe, for our discussions and the open spirit in which they took place.
The Minister knows that it has not always been my habit to give an unqualified welcome to Home Office Bills; judging from the Statement that was debated earlier this afternoon, I cannot guarantee that things will be any different in future.
I understand that Ministers like to come to this place with a few concessions in their back pocket, and there is no harm in that. But too often, elements of the Bills that arrive with us have a lopsided look; one suspects, rightly or wrongly, that they are the opening gambit in a concession strategy, whereby the energy of this House is occupied with the tabling and discussion of amendments, only for the Government eventually to concede what they had a good mind to do all along. This can be both frustrating and counterproductive; those who mistrust the Government see their worst fears confirmed by the initial version of the Bill, while those who trust them are reluctant to express that support, lest the ground be cut from under their feet.
It is to the credit of those concerned that I do not believe that such an approach has been taken with this Bill. No doubt it is capable of improvement; I welcome the challenges that have been made by NGOs and by the noble Lords, Lord Coaker and Lord Fox, not least because I was not able to consult in quite such specific terms as I would have liked on the proposals that were put to me by the Home Office. Indeed, there are a few points that I may seek to probe in Committee. But I consider that the Bill is an honest attempt to strike a fair balance in these difficult areas. We risk reversing the operational gains that it promises if we overload the Bill with unnecessary safeguards, or seek radically to reshape the judgments that it makes.
We need powerful weapons to combat the scourges of hostile state activity, terrorism, fraud, people trafficking and child sexual abuse, and we need to embed them in a strong framework that includes the gold standard of prior judicial authorisation for the most intrusive powers. This Bill gives us both those things, and we should not discard or devalue either.
History suggests that the lifespan of investigatory powers regimes is no more than 15 years or so, and technological developments mean that we are likely to be working towards a more fundamental revision of the IPA by the end of the decade, if not before. My report contains some ideas on what these technological developments are and how the process might be started, but for the time being I am glad that time has been found for this necessary Bill. I am happy to give it my support.
The current proposals are likely to lead to a broad and vague definition of “public safety” in which the security and powers of the state in one area reduce essential personal freedoms. To that extent, I believe the helpful comments made by Big Brother Watch should be taken seriously and answered comprehensively if we are to be fully aware of the trade-off between two goods: public safety and personal privacy.
No one would wish to stand in the way of His Majesty’s Government’s intention to tackle terrorism, state threats, serious organised crime such as child sexual exploitation, illegal migration and fraud. These need to be faced head-on. The question is whether the proposed extensions contain sufficient safeguards to ensure that the mass of law-abiding citizens in a free society are not caught up in a form of mass surveillance in which they cannot trust that justice and privacy will be upheld.
When the Bill was first passed in 2016, the then Home Secretary said
“it is … right that these powers are subject to strict safeguards and rigorous oversight”.
It is essential that the Bill meets those conditions, but I worry that it does not do so in all places in its current form. We look forward to interrogating the Bill as we take it through its later stages.
I agree with every single one of the noble Lord’s recommendations and, indeed, in Committee, there may well be more recommendations that this House can put before the Government. I hope that we do not get into a situation where we have to vote on those, but that we can have proper discussions between Members of this House and the Government on what those might be. They could cover internet communications records, bulk personal datasets, the issue of telecommunications companies and their notification of changes in the way they operate—all these things are significant. I just want to touch on one, which is of interest to all of us in here, and that is how we deal with parliamentarians.
The Wilson doctrine is as old as Harold Wilson, of course: it was a long time ago that that happened. I understand that, because we now need three people, including the Prime Minister, to consider these matters, but if the Prime Minister is incapacitated—as Boris Johnson was when he had Covid at that time—what do you do? Presumably, you go to the Secretary of State to be able to deal with that issue. I think that is sensible, but I take my noble friend Lord Coaker’s point that it should not be just any Secretary of State. It should be confined to either the Foreign Secretary, the Home Secretary, the Defence Secretary or the Northern Ireland Secretary; in other words, Secretaries of State who have experience of dealing with warrants, because these are such hugely important matters.
I also want to take up the point that my noble friend made about the Intelligence and Security Committee itself. The Minister will answer whether the committee has been consulted on these proposals: if it has not, it should have been and if it has, it would be useful for us as parliamentarians to know what it said. That is of vital importance to us.
Clearly, we need to update how we deal with the evil and unpleasant people who threaten our security and our lives. The technological innovation in the past eight years has been absolutely dramatic and will get even more dramatic as the years go by. My noble friend mentioned China, the war in Ukraine and Russia, and all those other authoritarian countries that exist on our planet. That is going to get worse. He also mentioned how much more sophisticated criminals now are, so we have to keep up with all this. What struck me in the last six or seven weeks, in the horrific and terrible war that we now see in the Middle East, was that the intelligence services of Israel, which were notably good, obviously failed. It could have been that if they had worked, we might not have had the horror that we now see in the Holy Land. I support this Bill, but I also support it on the basis that it has had immense scrutiny from the noble Lord, Lord Anderson; but there is still work to be done and I look forward to debating it in Committee.
Those who support this mass surveillance seek to reassure us by saying that if you have nothing to hide you have nothing to fear. However, in truth do we not all have something to hide that we would prefer to keep to ourselves? That is why we shut the toilet or bedroom door behind us. That is why we do not speak in public about troubling issues in our family or friendship circle such as addictions, unwanted pregnancies, financial woes and the like. There are some things that we just feel are private—the kind of information that, in the wrong hands, can be used to demean or blackmail any of us. That detailed knowledge about every individual in the country could be used by an unscrupulous Government—who are considering ignoring laws and treaties, for example, if that rings any bells. They could use it to identify all citizens of a particular religion, political persuasion, sexual proclivity or whatever, to single them out for disadvantageous treatment or worse—much worse.
The state is collecting this personal information about us all and we cannot predict who in a future Government will get their hands on it and might totally misuse it. All I can say with certainty is that East Germany’s Stasi would have thought that every day was Christmas if it could have laid its hands on such a rich source of intimate data about all its citizens. Therefore, we must achieve a balance between the privacy needs and rights of individual citizens and protection of those same citizens from terrorists and serious and organised crime. It is not an easy balance to get right. I fear that the Government are still erring in favour of capturing too much data about innocent citizens—of course, the vast majority of us.
There is another very strong reason for not engaging in the collection of everyone’s data. The problem is that the useful information about terrorism or organised crime gets buried in a blizzard of useless data about the vast majority of us who are innocently going about our lives. In 2016, the Joint Committee on the Draft Investigatory Powers Bill heard startling evidence about the problem that this causes for security services from a gentleman called Bill Binney, a retired technical director of the United States National Security Agency and a bit of a folk hero in the intelligence community because he predicted with great accuracy when the Russians would invade Afghanistan just by analysing the patterns of their military signals. However, later in his career Mr Binney concluded that the NSA’s policy of collecting the data of all American citizens was unconstitutional, so his team devised software called ThinThread. It used smart collection to pick out for inspection only the communications of known terrorists, those they were talking to—and who those people were talking to.
The management of the NSA instead chose to go down the road of collecting 100% of the data through a highly expensive project, Trailblazer—which was later abandoned—and ignoring Bill Binney’s method of giving the analysts a much smaller but richer and more relevant set of data. The consequence was that the NSA missed the data that it already had in its systems which would have alerted it to the plot to attack the twin towers on 9/11. If only the NSA had known that it had it and had looked at it. We know that the NSA did have it because shortly after 9/11, Mr Binney’s team ran its ThinThread software against the NSA’s database at the time of 9/11 and found six of the 9/11 conspirators and their command centres. Mr Binney shocked the committee by revealing that 9/11 could, and should, have been prevented—if only the American security analysts had not been swamped with useless information.
The price paid by the American people for their security services’ predilection for bulk data collection was very high indeed. Yet here we have in this Bill the continuation of that folly by our own intelligence services. I invite noble Lords to recall the terrorist attacks of the last 20 years and that, almost every time, it was later revealed that the perpetrators were known to the police or the intelligence services. Our people being swamped with irrelevant data must have contributed to the failure to further investigate these suspects before they acted.
The Government will no doubt argue that the advent of artificial intelligence makes it more possible for them to search for needles in haystacks. That may well be so, but some of that advantage will be negated by the massive explosion of data volumes they are now collecting from a wide variety of sources, especially social media and video. The fact remains that they are still holding, and have available for inquiry, huge amounts of data about all of us in this House and in this country—all of it at risk of being misused. Bill Binney’s solution was to immediately encrypt the 99.9% of the data that was of no interest to protect it from snooping, official or unofficial. In the UK we have none of that protection.
The Investigatory Powers Act, to the credit of the then Government, sought to reassure the public that there are limitations on the use of personal data by law enforcement and the security services, and how those limitations are policed. However, it is worth noting that it was also disclosed that several intrusive powers have been used on the British people for many years, without any such constraint. That was because they had been in use without the consent or even the knowledge of Parliament. If it had not been for the brave whistleblowing of Edward Snowden, the contractor to the American National Security Agency, the scandal of the UK’s concealed surveillance powers would not have been revealed to Parliament and may never have been addressed.
We need an Edward Snowden-type whistleblower every few years to keep our security services and our Government honest, because the safeguards that are in place to ensure compliance by the security services and prevent misuse of these highly intrusive powers seem to be inadequate, as illustrated by the TechEn case. This was a very serious breach of the statutory safeguards in the Investigatory Powers Act and the Regulation of Investigatory Powers Act 2000. It was the subject of the scathing judgment against the Security Service and the Home Office by the Investigatory Powers Tribunal in January this year. MI5 admitted that it had been aware, since May 2016, that there was a very high risk it was in breach of its statutory obligations concerning the holding of personal data under both Acts. It also admitted that it should have immediately reported to the Investigatory Powers Tribunal but failed to do this for three years.
The Investigatory Powers Tribunal found that
“there were serious failings in compliance with the statutory obligations of MI5 from late 2014 onwards”—
that is, two years earlier than MI5 admitted—and that those failings should
“have been addressed … by the Management Board”.
It was also strongly critical of the Home Office’s failure to inquire further into MI5’s long-standing compliance failures, after being made aware of them several times since 2016. The tribunal found that the Secretary of State breached their duty to make adequate inquiries as to whether the statutory safeguards were being met, and that warrants were issued after late 2014, through to 5 April 2019, that were unlawful and did not meet the safeguarding requirements imposed by the Investigatory Powers Act and RIPA. Other breaches of the safeguards were alleged, but we do not know the tribunal’s verdict on them because they were covered only in the secret part of the judgment.
As the noble Lord, Lord Anderson, whom I also thank for this thorough review, points out:
“MI5’s previous non-compliance has led to it being the subject of particularly rigorous oversight by IPCO with four extraordinary inspections taking place in 2019”.
He later warns that the TechEn case is a
“salutary reminder of the principle underlying the IPA: that exceptional powers require strong and independent external oversight”.
We would do well to remember those words when we come to consider the Bill in detail. There is clear, authoritative evidence that all is not well with the compliance mechanism in the Investigatory Powers Act. Some of us predicted this during the Bill’s consideration in this House. We also called for judicial authorisation to manage the risk of these suspicionless electronic surveillance powers, which are on a scale never seen before in a democracy. Instead, the Government set up a much weaker double-lock system, and now we see the consequences. So my second and third questions for the Minister are: what are the Government’s plans to seriously improve compliance with the Investigatory Powers Act, and will they now recognise that the current supervision regime is failing and needs to be replaced with much stronger arrangements? On a related matter, my fourth question is: when will the Government introduce regulation of a highly intrusive technology that is running riot in policing and security with absolutely no rules, safeguards or oversight—namely, facial recognition?
I turn to this Bill. There are five primary concerns that will be covered in detail in future stages in this House. As has been discussed, it weakens the safeguards against the intelligence services collecting bulk datasets of personal information by potentially harvesting millions of facial images and mass social media data. The Bill’s creation of a vague and nebulous category of information where there is deemed to be a low or no reasonable expectation of privacy is a concerning departure from existing privacy law, in particular data protection law. Such an undefined category requires agencies that are motivated to process such data to adjust safeguards according to unqualified assertions about other people’s expectations of the privacy of their data. On the contrary, data protection law is constructed according to the sensitivity of the information rather than guesswork about the individual’s expectation of privacy concerning personal information. In my view, this provision needs to be worded more tightly.
It weakens safeguards when authorities harvest communications data—for example, membership of and Facebook posts to a racial equality group could be seen as data available to a section of the public as defined in this Bill, and therefore the authorities may wrongly believe that they consequently possess lawful authority to obtain associated communications data from the platform. Once again, more precise wording is needed.
Thirdly, it expressly permits the harvesting and processing of internet connection records for generalised mass surveillance, which is a much wider purpose than originally envisioned.
Fourthly, it increases the number of politicians who can authorise the surveillance of British parliamentarians and members of other domestic legislative bodies. Politicians are not above the law but, given their important constitutional role, spying on them must require the highest authority—namely, that of the Prime Minister.
Fifthly and finally, it attempts to force technology companies, including those overseas, to inform the Government of any plans to improve security or privacy measures on their platforms so that the Government can consider serving a notice to prevent such changes. I am sorry to say that the Government must be suffering from delusions of grandeur if they think that Apple, for example, will agree to desist from improving the privacy protection of its products or to produce an iPhone with downgraded privacy features especially for the UK. Superior privacy for its customers is one of Apple’s main selling features, and it is not going to forfeit that to please the current Government in a small part of its worldwide market.
We have much to discuss when this Bill reaches its Committee stage. In the meantime I look forward to hearing the Minister’s response to my four questions at the end of this debate.