|
Patrick Mercer: Well, I regret asking that; it is all as clear as mud. No, it is absolutely clear, and I am most grateful to the Minister. I take his point about consistency and amendment No. 199, and I am sure that greater exposure to the magistrates benches, which I shall no doubt have in due course, would make clear why amendments Nos. 200 and 202 have been satisfactorily explained. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 30 ordered to stand part of the Bill.
Clause 31
Tampering with the Register etc.
Patrick Mercer: I beg to move amendment No. 201, in clause 31, page 27, line 3, leave out subsection (4).
I do not understand why the subsection adds to the quality or interpretation of clause 31. If we removed it, I believe that the clause would be simpler and more straightforward in its application.
Mr. Allan: I assume that this is a probing amendment. It carries on our earlier debate about territoriality. I find subsection (4) comforting; as I read it, it places the offence of tampering with the national identity register in the same category as offences such as war crimes, certain categories of sexual offence and so on, which, if committed abroad, can be treated as though they had been committed in the United Kingdom. That is important because the whole clause is an anti-cracker clause.
Mr. Browne: Hacker.
Mr. Allan: People who programme computer systems often describe themselves as hackers. They do not see themselves as bad guys; they describe the bad guys as ''crackers'', who are not generously proportioned Scottish psychologists, but people who try to break into computer systems. We know from plenty of experience of attacks on online gambling
Column Number: 389
sites that many crackers operate from former eastern bloc states. We can anticipate that such crackers will be among the sources of attacks on the national identity register, if such attacks take place.
I hope that the Minister will assure us that he will have the legal powers to go after such people, but that still leaves the big question of enforcement. That is not an argument against having the legal powers, but it is worth putting on record that, as we sit here, attacks against businesses in the United Kingdom are going on, against which, effectively, no enforcement is taking place. Recently, our few specialist law enforcement officers have been dealing with child abuse image cases; it is worth bearing in mind that our resources are very limited.
Although we are willing the legal means to go after people, we also need to will the means in terms of the bodies necessary to carry out prosecutions of that nature. Prosecuting somebody in a former eastern bloc country who has tried to break into a computer system is necessarily expensive and complex. I hope that the Minister can assure us that, to protect the integrity of United Kingdom citizens' data, there will be a serious intention to go after people who fall within the remit of that offence.
Mr. Browne: I am content to give Committee members the reassurances that they seek, and I shall do that quickly.
In many ways, this is a belt-and-braces provision; I shall explain why in a couple of minutes. It is similar but not identical to the jurisdiction under the Computer Misuse Act 1990. That similarity should show Committee members that the menace of activities abroad affecting information held in this country has exercised the mind of Parliament for some time, and that there is a formula for dealing with it, which is designed to do exactly what the hon. Member for Sheffield, Hallam described.
Subsection (4) provides for extra-territorial effect in relation to the offence of tampering with the register and has the effect that where unauthorised modifications take place abroad it is ''immaterial'' whether
''it is conduct of a British citizen.''
I will explain why that is important in a few minutes.
It is clear that if the register is to be protected from unauthorised modification, it is axiomatic that we have to provide for an offence that will apply to modifications effected from abroad, whatever the nationality of the computer cracker. The register will, however, be located in the UK, so even when the location of a computer from which an unauthorised modification is effected is outside the UK, an offence under clause 31 would be completed in this country. That is why I described this as a belt-and-braces provision.
There is a strong case for arguing that the UK courts would have jurisdiction over such extra-territorial behaviour, regardless of any express statutory reference. Moreover, Parliament could be
Column Number: 390
understood to intend that the UK courts should have jurisdiction over all unauthorised modifications of a register of the people who are resident in the UK. However, it is appropriate in this provision to make that clear and put it beyond doubt.
Being mindful of the general principle of the common law of England—that the exercise of criminal jurisdiction does not extend to cover acts that are committed on land abroad—I took the view that the matter should be put beyond any doubt in the Bill. A statute that expressly provides for extra-territorial jurisdiction will, in the absence of further clear provision, only be regarded as covering such acts when they are committed by British subjects, therefore provision had to be made in subsection (4), in any event, for the offence to apply, regardless of nationality.
For all those reasons, which are consistent with the protections that the hon. Member for Sheffield, Hallam would expect of this register, it is appropriate to have such specific provisions in this legislation. I trust that hon. Members will recognise the need for the provision of extra-territorial jurisdiction.
Mr. Clifton-Brown: I have been listening carefully to the Minister. It sounds as though he is breaking new ground and trying to legislate specifically for an offence that is committed abroad by a non-British national in a foreign jurisdiction, but the person would still be committing an offence in the UK. Am I correct? Are we breaking new ground?
Mr. Browne: With respect to the hon. Gentleman and as I understand it, we are not breaking new ground, because that jurisdiction is similar although not identical to the jurisdiction of the 1990 Act, which was, I hasten to add, enacted at the urging of a Government of the hon. Gentleman's persuasion. In that sense it is not new ground. The measure is included in recognition of the nature of the information technology world in which we live. People are able to attempt to do such things from abroad.
This specific provision in relation to people who are not British subjects is included because there is a rule of domestic jurisdiction that where a statute provides for extra-territorial jurisdiction, unless it is expressed otherwise, it applies only to British subjects. Therefore that has to be covered here. I repeat that it is arguable that since the act would have to be completed in the UK, where the register is located, our courts would have jurisdiction without this provision. However, if we are legislating for extra-territorial jurisdiction, it is as well specifically to state that that will apply to non-British nationals.
People who are not British citizens or subjects commit criminal offences in any event in the jurisdiction of the UK. We bring our criminal law to bear on such people, so to that extent the provision is not new either. The hon. Member for Cotswold sought confirmation that such action was novel. It is not completely novel nor is it regular or usual; it has its roots in the 1990 Act.
Column Number: 391
4.45 pm
Patrick Mercer: We have heard about extra-territorial jurisdiction—a discussion that was provoked by my hon. Friend the Member for Cotswold—while earlier we heard about the trousers of my right hon. Friend the Member for Skipton and Ripon being sent to the cleaners. We have now heard about the trousers, the belts and the braces, so, on that note, I declare myself satisfied. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Question proposed, That the clause stand part of the Bill.
Mr. Allan: A final subject that is worth putting on the record is the fact that the offences covered by the clause could be expensive for the Secretary of State. They could compromise the system in such a way that he might end up spending large amounts of public money to put it right again. The offences are serious. Clause 31(3)(a) covers conduct that causes a modification of information held in the system—in other words, the act of changing people's records—while I assume that subsection (3)(b) refers to virus-type attacks on the system that stop it functioning correctly.
I have another worry. It is worth examining the taking of information from the system so that it becomes compromised. To use some Latinate words, I am thinking specifically of biometric algorithms. The system itself will contain calculations and formulae that will be used to guarantee the integrity of biometric data and guarantee that they can be transmitted securely between a hand-held device, for example, and the central database. If such data were compromised and people got hold of them, that could lead to a need to rework the system completely—at great expense to the Secretary of State and, thus, to the public.
I am a little worried that we have might not have covered such matters. I accept that they might be dealt with under the 1990 Act, but we must consider whether to reflect on the issue at a later date.
I am in the unusual position of wanting to strengthen the Bill, whereas I usually want to weaken it. If we are to have a database, however, we want it to be protected and, in such circumstances, we must ensure that there are no loopholes, which people can get through to do something without being covered by the law. I understand that the Government are reviewing the 1990 Act because there are holes in it; there are forms of attack that do not seem to be covered by the Act.
Similarly, I would not want us to put provisions on the statute book that allow people to break into the system and cause enormous public expense, but which, because of a technicality, leave that not actionable under law. I return to algorithms, the theft of which would not necessarily either modify the data or make the system unworkable, but might not be covered strictly under the offence. Other offences could apply and might be equally suitable, but surely it would be better to cover such offences explicitly under clause 31.
Column Number: 392
| 
