|Regulation of Investigatory Powers Bill
Mr. Ian Taylor: Although I failed to catch your eye, Mrs Michie, when we debated clause 47 stand part, the Minister's assurances at the end of that debate were important because they placed a higher requirement on the use of demands for the key, as opposed to plaintext. In clause 49 and the new clauses that we are discussing, the desire is to protect the innocent. Innocent people may reasonably be thought to be in possession of the key, but that conclusion may in fact be unreasonable. In other words, the innocent must have a way out of an accusation that they could have revealed information to the authorities.
I stress that I am not a lawyer, and plenty of lawyers have made a lot of money telling me that I am not, but the clause states that a person shall have a defence
That provision is expressed rather negatively. Although it is not directly related, new clause 1 contains the phrase,
That is a completely different way of viewing the same potential problem. I prefer the emphasis in new clause 1.
The difficulty is to try to prevent people who want to assist, but for some reson cannot, from being caught by the clause. One way of overcoming that risk would be to ensure that everybody put their keys into key escrow, which returns us rather circuitously to what we agreed we would not have: a statutory key escrow scheme. When we discussed the matter on Second Reading, it was clear that the Minister understood that. I have recanted since the dim and distant days when I thought that such a scheme might be a good idea. Therefore, we are at one against that. We do not want clause 49 to make companies so terrified of losing the key that they do eventually go to key escrow. That is not the way that the Minister wants to go, although key management, which may involve key escrow, is a sensible way of approaching the issue. Many private detective agencies and banks are setting themselves up to do that. I am not saying that that is not the right way to go, but we should not try to enforce such a measure because it suits the state or because companies are so terrified about losing the key that they feel that they must do it.
Inevitably, there will be technological ways of protecting the innocent. They are fairly complicated and I am sure that their number will grow in accordance with requirements. It is astonishing what a hard disk can remember, even when corrupted. With cookies and other measurement instruments, one can find out how an e-mail or web page has been used. In all those circumstances, those technological developments are not threatening; they represent one way in which the innocent can protect themselves against an unreasonable assumption that they could have given information which they are not in a position to give. My hon. Friend the Member for North-East Hertfordshire is right in that if we can make the test of criminal intent more explicit, we can increase the penalties. If we try to increase the penalties when the innocent may be captured until proven innocent in the courts with all the publicity and stigma that is attached to it, we do not want the penalties increased.
If, the emphasis is placed on the need to prove criminal intent, the penalties could be strengthened and that might overcome the difficulty whereby some criminally minded people might prefer to take the de minimis two years rather than something that could be much worse. There are many reasons why the Minister would be well advised to take note of the speeches of the hon. Member for Hallam and my hon. Friend the Member for North-East Hertfordshire because of their attempt to assist the Bill by strengthening the proof of criminal intent. Furthermore, new clause 1 would strengthen the penalties that might be imposed and, thereby, overcome some of the difficulties that will ultimately be criticised by industry when the Bill is discussed on Report, unless the Minister is about to make further concessions in the way that he has skilfully done throughout our proceedings.
Mr. Charles Clarke: I shall make no concessions. The position is straightforward and I shall deal with it at some length. Those who have spoken so far in the debate have been clear about the matter. It has been one of wide pubic discussion and concerns have been expressed that have sometimes been distant from reality.
I shall deal first with the central allegation of the opinion from Justice and the Foundation for Information Policy Research, which lies behind the two new clauses. It does not, however, carry sufficient force to merit such a response. The allegation is that the offence of failing to comply with a disclosure notice reverses the burden of proof to the extent that it is incompatible with article 6(2) of the European convention on human rights, which concerns the presumption of innocence.
It is said that it is easy to forget a password or key and difficult to prove a negative in that a person does not have something. The central charge that is made is that innocent people may suffer in such circumstances, which new clauses 1 and 5 seek to address. I believe strongly that the provisions are compatible with the European convention on human rights. My right hon. Friend the Home Secretary has signed a section 19 statement to that effect. It is not a frivolous undertaking.
The hon. Member for North-East Hertfordshire said-I am sure loosely-that the lawyers think this, that or the other, referring to the legal advice on such matters. I shall chide him gently and say that, in my experience, the lawyers never think any one thing. They have a range of different opinions on any given question. While the legal opinion is perfectly legitimate and valid, I hope that he would do the Government the credit of acknowledging that the legal advice upon which the Home Secretary has signed a section 19 statement is an equally valid-I would argue that it is more valid-opinion.
Under clause 46, there must be reasonable grounds for believing that a person served with a decryption notice can comply with any requirement placed upon him, by which I mean that that person has a key, before the use of the power can be authorised in the first place. As for the proposed non-compliance offence, the Bill places the burden on the prosecution to prove that the accused is, or has been, in possession of a key. It also outlines several statutory defences. I say to the hon. Member for Hallam that the innocent individual who receives unsolicited e-mail cannot be prosecuted unless it can be proved that he or she had possession of the key at some point. An issue is involved if the user was the only person who had the key and he or she claims to have lost it, but not if the individual can prove that he did not have possession of the key at some point.
Mr. Allan: It is up to the individual to prove that he had the key. The individual who receives the unsolicited e-mail might go to court and say, ``I never had the key, guv. What key?'' My reading of the Bill is that that will not be enough because the prosecution could say, ``We think that it is likely that you had the key.'' The prosecution does not have to prove that he had the key.
Mr. Clarke: I am coming to that point. I make it clear that it is an absolute defence to prove that one did not have the key.
It will be for the court to decide in any particular instance whether on the balance of probabilities a person has, for example, forgotten a password-that example has been widely discussed. There are many offences on the statute book that place burdens on the accused. Our approach in this context is to argue that a person who has been shown beyond reasonable doubt to have had the key in his possession is presumed still to have that key unless it can be shown on the balance of probabilities that he no longer has it.
That is the situation in terms of the legal burden of proof, but I want to discuss it in terms of common-sense understanding and to explain what will happen in particular cases. I agree with the hon. Member for Hallam that it is helpful to consider examples. I hope that that reinforces the point that I have made on several occasions that the offence does not reverse the burden of proof. It places a lesser burden on the defence, which is entirely appropriate. That approach is replicated in relation to many other offences. Let me explain why.
The real issue concerns not the reversal of the burden of proof but whether the individual in question can show on the balance of probabilities that he no longer has access to the key. The nature of emerging encryption technologies means that proving, even on the balance of probabilities, that one does not have the key at the relevant time could be a tricky proposition. That point was made by the hon. Member for Hallam.
However, we should put the matter in context. Data may have been acquired by law enforcement or other agencies through-it is important to emphasise this-lawful means, and a notice served on someone whom the authorities have reasonable grounds for believing has access to that data or to the means to decryt it. In that case, the authorities would have proved beyond reasonable doubt that that person either has, or has had, that data or appropriate means when the notice was served. In that event, the defendant may show on the balance of probabilities evidential that he did not have the key or could not comply with the request. The hon. Member for North-East Hertfordshire asked what could be done to show that.
There are two clear different circumstances, the first of which involves the case of a business. The business, which is responsible and secure, always has back-up mechanisms, always anticipates the loss of a key and always has an audit trail that establishes when keys were used for what purposes and when they were thrown away. We have got that message strongly from talking to business, and it is entirely reasonable to have such expectations. The hon. Member for Esher and Walton mentioned the possibility that some might choose the approach that is associated with key escrow. That is a different way to secure a rigorous system that pursues and tracks keys.
If a business found itself in that position-I emphasise, by the way, that I doubt whether it would-and had to show, on the balance of probabilities, that it did not have the key at the relevant time, it could wheel in any number of technical records to explain the circumstances under which it normally disposes of keys to produce evidence to that effect. Businesses are in a good position in this regard because their conduct will normally be supported by substantial records.
What about the individual? That raises the other case, which was discussed on Second Reading by my hon. Friend the Member for Milton Keynes, North-East (Mr. White) and others who raised it in different circumstances. What about the individual who simply forgets his password? As critics have said, that is a very reasonable thing to do-many people do so in many different circumstances. We should bear in mind that the individual has to demonstrate his forgetfulness only on the balance of probabilities, which means that he is already some way there. It is a reasonable explanation for him to say that he has forgotten his passport-I keep saying ``passport''; I mean ``password''-[Laughter.] I confess to having the Home Office disease. ``Password'' is the word what I want.
Precisely because forgetting a password is such a reasonable thing to do, it is rare that there are no contingency arrangements for such an eventuality. Depending on the circumstances of the case and the reasons why the material was acquired in the first place, individuals could easily state that they had forgotten their password or key, but volunteer information about the last time they remembered it, what they normally do when they forget it, whether their service provider has a back-up system or whether all data are destroyed every time that they lose their key. The court will take such factors into account. I think that that represents a perfectly reasonable set of events. I emphasise again that there is no reversal of the burden of proof. Once the prosecution has proved possession beyond reasonable doubt, the defence can avoid liability by demonstrating a change of circumstances on a balance of probability.
For the reasons that I have set out, I think that the alleged evils addressed by the new clauses are illusory. The burden of proof is not reversed.
There are other aspects of new clause 1 that do not appeal. The case for increasing the maximum sentence to 10 years is well made and I understand it, but the overriding concern must be the seriousness of the offence. Increasing the penalty to 10 years would put the offence on a par with cruelty to children or making threats to kill. I am not certain that that would be right; even the possession of paedophile material, which we discussed earlier, does not carry such a sentence. I am also conscious that, on Second Reading in particular, hon. Members alleged that what the Bill allows us to do amounts to key escrow by intimidation. As I said on Second Reading, I do not accept that, but it seems to me that increasing the penalty to 10 years' imprisonment would serve only to heighten that criticism and send out the wrong signals. We do not wish to do that.
I am also not attracted to subsection (6) of new clause 1, which proposes that a conviction resulting in a prison sentence of five years or more in the previous five years could be used as evidence of intent. The provision appears to have been modelled on a similar section in the Theft Act 1968-section 27. Such provision should be considered exceptional, and I am not persuaded that something along the lines set out in new clause 1 is needed.
The burden of proof is not reversed and the maximum two-year sentence is entirely appropriate. On that basis, the new clauses should not be accepted.
The hon. Member for North-East Hertfordshire also spoke to new clause 4, which adds to the Bill the power to search for a decryption key, with the authority of a circuit judge. I understand the reasoning behind the new clause, which seeks to assist the agencies to meet an operational requirement, but there may be practical difficulties. In some cases, there may be good grounds for believing that a person served with a decryption notice will fail to comply, thus enabling the authorities to apply for a search power at the same time as their application to serve a notice. However, in other instances, that may not be the case. The focus of the power is on suspects and their accomplices who have keys, but who wilfully refuse to co-operate; the hon. Gentleman made that clear. As we discussed this morning, the technology involved means that the key that the law enforcement agencies are seeking may, in fact, be held by a third party. The new clause raises the spectre-that may or may not be a justified perception-of the authorities searching the premises of innocent parties. That is a step too far, and that is why we did not include it when we first discussed what would be in the Bill.
The debate touches on difficult questions of judgment, and I acknowledge the diffuculties. In some ways, new clauses 1, 6 and 4 push in opposite directions. I am not criticising; it is a difficult issue. However, we believe that the balance that we have struck is right, and we consider that many of the criticisms that have been made are not well founded. The new clauses should be withdrawn.
I realise that I have not responded to the point made by the hon. Member for Hallam about hard disk failure and the destruction of a key in those circumstances. If the key is not available, the Crown Prosecution Service will not bring a prosecution. I am confident that the courts can distinguish between the loss of keys or an IT failure of this type and an attempt by the holder to destroy the key. When hon. Members have had a chance to consider what I have said, I hope that they will not press the new clauses to a vote.
|©Parliamentary copyright 2000||Prepared 4 April 2000|