House of Commons portcullis
House of Commons
Session 2006 - 07
Publications on the internet
Public Bill Committee Debates

Draft Regulation of Investigatory Powers (Acquisition and Disclosure of Communications Data: Code of Practice) Order 2007

The Committee consisted of the following Members:

Chairman: Mr. Eric Illsley
Battle, John (Leeds, West) (Lab)
Beresford, Sir Paul (Mole Valley) (Con)
Blunt, Mr. Crispin (Reigate) (Con)
Burden, Richard (Birmingham, Northfield) (Lab)
Campbell, Mr. Alan (Lord Commissioner of Her Majesty's Treasury)
Clegg, Mr. Nick (Sheffield, Hallam) (LD)
Clelland, Mr. David (Tyne Bridge) (Lab)
Corbyn, Jeremy (Islington, North) (Lab)
Garnier, Mr. Edward (Harborough) (Con)
Hepburn, Mr. Stephen (Jarrow) (Lab)
Hewitt, Ms Patricia (Leicester, West) (Lab)
Howarth, David (Cambridge) (LD)
McNulty, Mr. Tony (Minister of State, Home Department)
Osborne, Sandra (Ayr, Carrick and Cumnock) (Lab)
Reed, Mr. Jamie (Copeland) (Lab)
Scott, Mr. Lee (Ilford, North) (Con)
Shepherd, Mr. Richard (Aldridge-Brownhills) (Con)
Hannah Weston, Committee Clerk
† attended the Committee

Fifth Delegated Legislation Committee

Tuesday 17 July 2007

[Mr. Eric Illsley in the Chair]

Draft Regulation of Investigatory Powers (Acquisition and Disclosure of Communications Data: Code of Practice) Order 2007

4.30 pm
The Minister of State, Home Department (Mr. Tony McNulty): I beg to move,
That the Committee has considered the draft Regulation of Investigatory Powers (Acquisition and Disclosure of Communications Data: Code of Practice) Order 2007.
The Chairman: With this it will be convenient to consider the draft Regulation of Investigatory Powers (Investigation of Protected Electronic Information: Code of Practice) Order 2007.
Mr. McNulty: I warmly welcome you to our deliberations, Mr. Illsley, and thank you for chairing today’s proceedings. I say that with a slight smirk on my face because I forgot to make such a remark yesterday to Mr. Hancock. Kind as my colleagues are, they reminded me of it throughout the 50 minutes of those proceedings, so I am pleased that I remembered to offer a welcome today.
The orders are made under section 71 of the Regulation of Investigatory Powers Act 2000 and were laid before Parliament on 14 June. The purpose of the first order is to secure approval for a draft code of practice relating to the acquisition and disclosure of communications data under the 2000 Act, the acquisition of data by public authorities, and its disclosure by communications service providers. Communications data such as telephone and internet subscriber information, allocation of internet addresses, itemised call records and mobile phone location data, remain vital tools in the prevention and detection of crime and in safeguarding the public. Data about who contacted whom and when provide evidence of association between individuals and of the time and place of events, corroborate the testimony of victims and witnesses, and provide evidence of innocence. Most importantly, such data are not about the content of communications; they do not include what was said in telephone calls or written in emails.
The provisions in chapter 2 of the 2000 Act were implemented in January 2004 and brought long overdue regulation to public authorities’ acquisition of communications data. The provisions are exercised under the vigilant oversight of the interception of communications commissioner, Sir Paul Kennedy, who is assisted by a team of inspectors who scrutinise public authorities’ conduct in obtaining communications data.
Application of the code will significantly reduce unnecessarily bureaucratic processes. The code makes it clear that a senior officer may authorise the obtaining of subscriber information without needing to know which service provider operates the phone number; that it is unnecessary to undertake a subscriber check prior to and separate from checking call records; and that a single authorisation may cover the acquisition of specific data and additional data that might be necessary for interpretation of the former.
When data are required in an emergency, no special internal paperwork will be needed, but the public authority must collate evidence of its decision making in operational logs, which must be available to the commissioner’s inspectors. Reflecting the operational practice of many years, the code makes it clear that a situation in which a 999 emergency call connection is lost and information is needed to provide emergency assistance to a caller within the so-call “golden hour” is outside the arrangements of the Act.
The code makes it clear that only appropriately trained and accredited investigators who understand the legislation may engage with communications service providers, to spare them from ill-informed, impractical and unlawful inquiry.
I shall now turn briefly to the investigation of protected electronic information order. By it, we are seeking the approval of a draft code of practice relating to the exercise of the powers and duties under part III of the 2000 Act to require the disclosure of protected electronic data in an intelligible form, or to require a key or password to access those data. Part III gives public authorities no new powers to seize or acquire data. It does, however, give them powers, which are to be used only when necessary and appropriate, to require data that they possess, or are likely to possess, to be made intelligible or to require disclosure of the key that will make such data intelligible.
The provisions are not in force. It has taken longer than was expected in 2000 for the same technologies that have enabled electronic commerce to develop to be taken up by terrorists and criminals to secure their information and protect and conceal evidence of unlawful conduct. Equally, encryption tools have remained cumbersome to use properly, and that has been exploited by technical facilities, such as the National Technical Assistance Centre, which process protected data on behalf of law enforcement and intelligence agencies.
Encryption tools are, however, becoming easier to use and are being installed in the standard operating system of consumer devices. The impact of encrypted data on the work of investigators and their ability to work within statutory custody time limits is increasing and will keep increasing. The Government have been clear that the provisions before us would not enter into force until the time was right for them to do so and Parliament had approved a code of practice. We believe that the time is now right.
The code of practice addresses issues on which Parliament sought clarification when the primary legislation was debated and takes account of the comments of respondents to public consultation. It also makes it clear that the overriding purpose of the provisions is to enable investigators to access lawfully acquired information in an intelligible form, not to access the keys to data.
We can expect the power to require disclosure of key material to be used only where a person who is able to put protected information into an intelligible form indicates that he will not exercise that ability voluntarily or on compulsion. The power is most likely to be exercised in relation to individuals who are the subject of investigation and who are responsible for protecting information that the authorities have obtained lawfully and which they believe to be evidence of unlawful conduct or material relevant to their investigations.
Once the provisions are in force, it will be an offence knowingly to fail to comply with the disclosure requirement, with a maximum penalty of five years’ imprisonment in national security cases, and two years’ in other cases. We have consulted on whether the five-year penalty should be available in cases relating to the possession of indecent images of children, and there is support for that, which would require an amendment to the primary legislation. We will consider taking that step after assessing how the provisions are used.
When the primary legislation was debated in Parliament, much concern was expressed about the possibility that it would criminalise people with poor memories or reverse the burden of proof on those who claimed to have forgotten or lost the keys to their data. The code makes it clear that where a person claims not to have had a key to the data, the prosecution must prove the contrary beyond reasonable doubt. Furthermore, if a person says that they no longer have the key to the data or that they do not know it, the prosecution must prove the contrary beyond reasonable doubt.
In direct response to concern expressed in public consultation, technical expertise is required to understand and apply the legislation appropriately. The code of practice makes it clear that no public authority may serve any person a part III notice without NTAC’s prior written approval. In that way, NTAC will play a crucial role in ensuring that the provisions are used appropriately, expertly and with the highest regard for compliance with the requirements and principles of the Act and the code. NTAC will also help to assure the various oversight commissioners of that.
Recognising the critical importance of the integrity of information security in the financial services sector, and in response to the concerns of Parliament and the public, the code makes it clear that no requirement to disclose a key to protected information should be imposed on any company or firm authorised by the Financial Services Authority without prior notification being given to the authority’s chief executive or to a person designated by him for that purpose.
Finally, as an additional safeguard against abuse, both codes of practice make it clear that if an oversight commissioner establishes that an individual has been adversely affected by any wilful or reckless failure by any person in a public authority to comply with the Act, the commissioner shall, subject to safeguards and national security, inform the affected individual of the existence of the investigative powers tribunal, which considers complaints about unauthorised or inappropriate conduct. That should enable that person effectively to engage the tribunal.
Subject to Parliament’s approval, both codes and the provisions of part III will commence on 1 October 2007. Arrangements for delivering briefings to practitioners and other interested parties on the detail of the new provisions and the codes are being planned. The primary responsibility of any democratic state is to protect its citizens, whether from the threats posed to all of us by terrorism or, in the case of our most vulnerable citizens, from the threat posed by sexual predators. It is right that, in doing so, the Government strike the right balance between the rights of communities and the rights of individuals. I believe that the guidance in both codes of practice does precisely that.
4.40 pm
Mr. Edward Garnier (Harborough) (Con): I welcome you to the Committee, Mr. Illsley. We touched upon many of the issues of principle that relate to these orders in another statutory instruments Committee yesterday. I have a number of points to make in the context of the official Opposition broadly welcoming the recent publication of the codes of practice and their implementation as from 1 October. We understand the need for, and support, the introduction of measures that will bear down on terrorists or potential terrorists and, as the Minister mentioned, those who indulge in child sexual abuse through the internet and other electronic means.
It would be helpful, however, when we are dealing with legislation such as the Regulation of Investigatory Powers Act 2000, for measures such as the two orders to be brought before Parliament rather more quickly than almost seven years down the line. The Minister has on his desk draft copies of the two codes of practice that we are discussing. I cannot imagine why somebody did not think of drafting the codes either during the time that the Bill was before Parliament, or in sufficiently good time for the Committee to be able to study them. I appreciate that the codes have been placed in the Libraries of both Houses but, on a matter of such importance, the information ought to have been made more widely accessible and available.
The Minister may well say, “If you can’t be bothered to go to the Library and find them, that’s your lookout.” That would be a perfectly good answer, but it would not be an entire answer. As a matter of procedure—it is not limited to these circumstances—I urge the Government to ensure that the codes of practice are made more widely and easily available not only through the Vote Office in the Palace, but in Portcullis House and other outer offices. That it is not so much nit-picking as a matter of how such matters are generally presented.
It is important to bear precisely what we are talking about in mind by looking at the 2000 Act. Parliament has given permission to a number of interesting people to discover who has been metaphorically talking to whom. If one looks at section 21, one will see that certain things must be looked at before such investigations can take place. The note in the margin beside section 22 tells us that it is about:
“Obtaining and disclosing communications data”.
Section 22(1) states:
“This section applies where a person designated for the purposes of this Chapter believes that it is necessary on grounds falling within subsection (2) to obtain any communications data.”
Section 22(2) states:
“It is necessary on grounds falling within this subsection to obtain communications data if it is the interests of national security”
—nobody would have a quarrel with that—
“for the purpose of preventing or detecting crime or of preventing disorder”.
Again, subject to understanding more precisely what “preventing disorder” means, I do not think that anyone would quarrel with that. It also uses the phrase,
“in the interests of the economic well-being of the United Kingdom”.
Again, subject to the code of practice dealing in some detailed way with what that is supposed to mean, I dare say that most people would be satisfied with that. Other grounds include the necessity to include data
“in the interests of public safety...for the purpose of protecting public health...for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department”——
here, I think, I we are moving into different territory—
“for the purpose, in an emergency, of preventing death or injury or any damage to a person’s physical or mental health, or of mitigating any injury or damage to a person’s physical or mental health”,
which, depending on the circumstances, may or may not be wholly publicly acceptable, or
“any purpose (not falling within paragraphs (a) to (g)) which is specified for the purposes of this subsection by an order made by the Secretary of State.”
Here we are getting into the territory of Henry VIII, where the Government can, by order, add to or take away from the sorts of circumstances that would allow that form of investigatory power to be used.
Section 22(3) states:
“Subject to subsection (5), the designated person may grant an authorisation for persons holding offices, ranks or positions with the same relevant public authority as the designated person to engage in any conduct to which this Chapter applies.”
I put that issue to the Minster yesterday over the self-authorisation of public authorities to give permission to people to engage in what might, in some circumstances, be a highly intrusive and not altogether welcome type of inquiry. As I mentioned at the outset, I make that point in the context of understanding the policy behind both the Act and the two statutory instruments, but I think that we need to be extremely careful, as do the Government on our behalf, that those codes and draconian powers are not misused.
While I appreciate that Sir Paul Kennedy, as the commissioner mentioned in the document, has had, and no doubt he and his successors will continue to have, a close interest in how those codes are abided by. I think that, as elected representatives, we need to be careful to ensure that those codes are not abused, are properly complied with and policed.
Section 25 states that a relevant public authority means a police force, the National Criminal Intelligence Service, the National Crime Squad, the commissioners of Customs and Excise, the commissioners of Inland Revenue, any of the intelligence services and
“any such public authority not falling within paragraphs (a) to (f) as may be specified for the purposes of this subsection by an order made by the Secretary of State.”
I like to think that no Home Secretary is going to introduce, simply on a whim, a strange definition of a public authority that does not come within the broad ambit of those that deal with crime and counter-terrorism. In so far as tax evasion is a crime, I include the commissioners of the Revenue within that wider definition. However, I frequently worry about how the Government have given themselves increased powers to make orders and add to the criminal law by secondary legislation. I think that we, as a Parliament, need to be careful about letting that happen almost as a matter of routine.
The 2000 Act, as the Minister fairly said, provides for severe custodial penalties for those who fail to comply with the demands of various public authorities that have been designated and can require access to particular data. Again, I can understand the reason for that; it might encourage them to disgorge the information more carefully and quickly. However, I like to see some sort of balance. In the codes, as I understand it, there are no personal liabilities that fall upon individuals of a criminal nature, and I am encouraged in that line of argument by section 72(2), which states:
“A failure on the part of any person to comply with any provision of a code of practice for the time being in force under section 71 shall not of itself render him liable to any criminal or civil proceedings.”
I can imagine circumstances in which someone might be put to huge economic or other inconvenience and damage by means of a mistake or a malicious designated authority seeking material from him. Unless the code provides for meaningful remedies, I am saddened to say that the codes leave the citizen in a state of imbalance against the state. The state and the citizen should, by and large, be equal before the law. It may be that the citizen is a malefactor or is hiding things from the criminal investigative authorities that ought to be disclosed, but where there is a chance that there has been mistake or misbehaviour by the authorities, the citizen should have means of adequate redress. For the code simply to allow Sir Paul or his successor to slap the chap over the wrist is not necessarily the right way to go about things.
The Minister might be able to take my fears away completely and demonstrate that there is an equality of arms before the law and that although the code is not as publicly available as I should like it to be and although the Government have given themselves permission to make further orders and powers that we have yet to see and know little about, the overall policy behind the measures could loosely be described as beneficial. To that extent, the official Opposition is prepared to give them a fair wind.
4.52 pm
David Howarth (Cambridge) (LD): It is a great pleasure to serve under your chairmanship again, Mr. Illsley. As far as I am aware, my party did not ultimately oppose the 2000 Act—in the Commons, at least—subject to several concerns about what might be in the codes of practice. In particular, there were concerns about compliance with the Human Rights Act. Each of the codes before us starts with a simple injunction to obey the Human Rights Act and gives a few simple instructions about how to do so, but I still have several questions about each code.
I shall start with the part 3 code on the investigation of protected electronic information, which concerns encryption and keys, because that is the most serious of the serious issues before us. My first question is about multi-purpose keys, about which concerns were raised when the 2000 Act was debated. It is possible—indeed, likely—that someone who has an encryption device will use it for electronic signatures, and there was a worry that the powers in the Bill would undermine certain aspects of e-commerce. The hope was that the code of practice would sort out the problem of multi-purpose keys. I may not have absorbed every word in the code, but, as far as I can see, it deals with the problem simply by saying, at 3.28, that “particular care” should be taken with such keys, and, at 8.4, that “extra care” should be taken. Simply saying, “Be careful,” is not very specific guidance, so will the Minister say a few more words on how it is envisaged that the problem will be solved?
My second point concerns the Minister’s comments on section 53(2) and the apparent reversal of the burden of proof in circumstances where someone has, or had, a key such as a password or a PIN, and is subsequently required to reveal it. What happens if they claim to have forgotten it? That does not seem an unrealistic problem, especially these days when there are so many cards and websites that require us to have PINs or the equivalent. One has these choices. One either chooses the same PIN all the time, which is extremely risky, one attempts to remember too many PINs, which cannot be done, or one writes them down, which one should not do, too. It is not an impossible set of circumstances to envisage.
I was glad to hear the Minister say that the code interprets the section as saying that when a person is in that position, it is up to the prosecution to prove that the circumstances are as it says, rather than those that the person subject to the obligation says. The problem is that I am not entirely clear how that fits with the words in the statute. I do not want to read out the whole of section 53, because it is very dense. It relates to the difference between the situation when the person came into possession of the key, and the position later on when he continues to be, at least according to the law, deemed to know what the information was. Will the Minister tell us precisely how the code protects a person in that position? Obviously codes can say how the law is to be applied, but they cannot change the wording of the statute itself.
The third point was also raised when the 2000 Act was discussed, and it has also been discussed by the Trade and Industry Committee. It is the question of the protection of seized keys—the protection of information under the powers of the Act from being misused or slipping out of the custody of the authorities. This issue is covered in section 8 of the part 3 code. What it says is little more than a bit of common sense, plus some instructions on how to ensure that items are kept physically safe and some sensible advice about not leaving information in laptop computers. Given the various problems we have had with laptop computers in recent years that is obviously sensible.
The code lays out how information or devices should be physically made safe, but it does not lay out in any great detail how they should be made safe electronically. The desire at the time was for the code to go into some detail about technical standards. The code does not seem to have done so. The hon. and learned Member for Harborough raised the question of the lack of criminal liability in circumstances where the authorities fail to fulfil their obligations, such as the obligation to protect keys that they have seized. It is very clear under section 55(4) that there is civil liability in those circumstances. Will the Minister clarify what actionable loss is envisaged under that provision? What are people allowed to sue for? For what consequences are they allowed to get compensation?
Secondly, especially in view of the later section, is it the Minister’s understanding that a breach of the code—for example, of the very sensible things that the code says about keeping seized keys under lock and key—would count as a breach of the civil obligation, or at least as evidence of such a breach?
My fourth point on the part 3 code concerns a similar issue—the compromising of the security of third parties and innocent parties. There is a risk in these operations that the security of data of people who know nothing about the operation or the underlying investigation—innocent third parties—might be compromised by a side wind of the investigation. The problem, which was raised during the passage of the 2000 Act, is that people in that situation will not normally know that that has happened. I was interested to see how that would be dealt with in the code, but I could not see anything about it.
Turning to the part 2 code, a lot of the concern about part 2 of the 2000 Act concerned the definitions that it contained—that of traffic data, for example—and the problem of confining the powers in that part of the Act to information about where a particular e-mail had been or what numbers a particular telephone had called, as opposed to the content of the communication, which is a different problem and is dealt with in a different way. Such data—where an e-mail has been, which internet server somebody has used, or which number somebody has called—used together in sophisticated ways developed since the early 1980s can reveal extraordinary amounts of information about somebody. In fact, they can be used to produce a sort of X-ray of the social structure. We are not, therefore, talking about entirely trivial matters.
The second problem is the one that was raised by the hon. and learned Member for Harborough about self-authorisation. It does not seem that the code of practice deals with that thoroughly. In small organisations, in particular, it is possible for a person to authorise himself to carry out a search—to be the applicant and the designated person in terms of the Act—which does not seem satisfactory. Although section 3.19 of the code says, and perhaps the Minister will confirm this, that it is not possible to fulfil all three roles set up by the Act—the single point of contact, the designated person and the applicant—or that that would be bad practice, it appears to say that it is perfectly good to be any two of them. That would set up a conflict of interest and reduce the amount of scrutiny that a particular application might go through.
There is a similar problem in relation to section 6.25 of the code, which concerns self-authorisation and what is called excess data, where more data come out of an exercise of that sort than was originally envisaged. What happens then, and can that data be used in another way?
My third point is a minor, perhaps linguistic, point. In relation to section 3.17, I am not sure why the role of the particular officer in such a case is to provide assurance about various things. I want to ask the Minister why that particular language was chosen. To “provide assurance” sounds like someone is being reassured, even if something is not true. It is an odd choice of words, and I wondered what lay behind it.
Finally, there is the question of disclosure to overseas authorities, and I gather that there was a discussion in a Committee yesterday about the problem of cross-border communication. The problem is that the public authority concerned appears to have the power to decide whether to provide information to an overseas authority, even where the country in question does not have an adequate data protection scheme.
The code says that the public authority may ask the Information Commissioner for guidance, but it seems to me that that is not enough. I would like to ask the Minister why it was not proposed that the Information Commissioner should, for example, maintain a list of countries that do not have adequate data protection laws and state what the particular risks are under the regimes in those countries. If we do not have a list of that sort, I cannot see how public authorities such as the police or the security services could know very much about the data protection schemes and their particular flaws in all the countries of the world. The person best placed to do that sort of research seems to be the Information Commissioner. Adding to that, we should put an obligation on the public authorities to consult the Information Commissioner, rather than simply suggesting that that they might want to do something, if they feel like it.
With those questions in mind, I am not minded to divide the Committee, but I will ask the Minister for some satisfaction on those particular matters.
5.8 pm
Sir Paul Beresford (Mole Valley) (Con): I also welcome you to the Chair, Mr. Illsley, and hon. Members to the Committee.
I am supporting my Front-Bench colleagues in their support for the orders, but perhaps from a slightly different position. My particular interest is the encryption regulation, as the Minister will be aware, having been tipped off by his officials that I am likely to approach the issue from that particular angle.
The importance of encryption is that the police have been waiting for seven years, as my hon. and learned Friend the Member for Harborough pointed out, for this particular statutory instrument to go through, because they want to use the legislation in serious cases involving fraud, serious robbery, smuggling, human trafficking and paedophilia, just to touch on a few. It is vital that the police can access the information that is on the computers. They increasingly find when they get to encrypted computers that the hard drive is not even there, that the individual has logged on using a floppy disk or that a PIN or key is needed to access the information.
The police are also becoming increasingly aware that the quality of encryption is improving dramatically. I understand that it is quite simple to download free software on the internet, such as 256-bit software, so that the encryption cannot be broken by the facilities available to us. The latest and more professional form of Vista software that is becoming available automatically encrypts the moment the computer is turned off. Yesterday, Sir Ken Macdonald, head of the Crown Prosecution Service, addressed the all-party group on human trafficking. I asked him about this particular piece of legislation and the fact that there was a maximum penalty of two years. His answer was politely derisory. He said that serious criminals will not be bothered by this sort of legislation. I refer to that, because the Minister has said that the Government are re-examining foreign legislation and considering moving on before primary legislation as a result of this particular instrument. The reality is, however, that it will not work.
May I ask the Minister—I did this once before with one of his predecessors—to step into the shoes of a paedophile? I am sure, and I hope, that he will find that difficult. He is a typical paedophile, sitting at his computer. He has a collection of data in front of him—that data incriminates himself and some of his colleagues, because even though they are loners, they often work together—and pictures of children. The police would like those pictures, because they want to find, help and bring health services to those children. They want to break the cycle of abuse whereby those who are abused often go on to abuse.
In essence, I welcome this measure, even though it is scratching rather than breaking the ice, it is seven years late and it is timid. Therefore, I ask the Minister not to wait to assess how the instrument works, but to recognise the results of the consultation that has already gone on and come back with legislation that greatly strengthens that.
As the Minister will have been advised, there is a general feeling among those who are concerned that two years should be 10 for paedophile activities and also, I suspect, for human trafficking. Therefore, although I welcome the measure, it is timid and late.
5.13 pm
Mr. McNulty: Let me start on that last point. There are difficulties, and I have said that the matter should be reviewed. The Government have always recognised the concern that an offender may happily accept a lesser sentence for fear of what might be revealed if the key and the encryption is secured, which would result in a much longer sentence. We cannot impose the penalty for the predicate offence in the absence of evidence for that offence, otherwise there will be a disproportionate penalty for the offence of failing to disclose the information in the first place, which sounds like legal gobbledegook, but it makes sense to me.
Mr. Garnier: And me.
Mr. McNulty: I am grateful to the hon. and learned Gentleman. However, it is a genuine concern and one worth considering. The position that the hon. Member for Mole Valley poses is quite real. Let us suppose that someone does not give up the key or encryption and they are the only one with that key: the data on their machine that could cost them eight, 10 or 15 years would not be cracked. If the penalty for non-disclosure is two years, it is not hard to work out the attraction of the respective alternatives. It is an area that we need to look at in more detail. Off the top of my head, and happily I am no lawyer, 10 years for claims, assertions or suspicions in respect of paedophile information being on computers and for failure to disclose that information would appear, from what I know about the rest of the law, to be a disproportionate response. However, we need to consider that in the broader sense, beyond these orders.
I know that the hon. Gentleman has met the Under-Secretary of State for the Home Department, my hon. Friend the Member for Gedling (Mr. Coaker), among others, to discuss this, and that it is an ongoing concern. In this instance at least, I did not need people who are not in the Room to tip me off; I already knew about his interest.
Mr. McNulty: I accept that; we need to look into this in more detail.
I do not accept the point made by the hon. and learned Member for Harborough about the Government’s failure in terms of the drafts. Draft codes have been around since 2000, when the RIPA was passed. The communications data code has been published by the Home Office since January 2004 and revised frequently, and the draft encryption code was published in the first instance and then revised in March 2006. I take his practical point that it might have been a courtesy appreciated by all Committee members had the two most recent drafts landed on their desks along with the rest of the papers. I take that as a concern, but it is wrong to suggest that the codes have only just arrived and have not been around in some draft form or other for the past few years.
It would be difficult to get to the literal equality of arms that the hon. and learned Gentleman suggested: two or five years versus what befalls a transgressor, in terms of a designated person or anyone else. The role of the commissioner and the tribunal could not be described as simply involving a slap on the wrist. As others have said, it opens up the possibility of awards for damages—it has done so—and for the destruction of information. In this world, although someone who has this sort of transgression against their name may not be incarcerated, they would find it difficult to secure similar work in such a sensitive field. It is a big deal to transgress and then be taken through the whole tribunal process, with the potential for damages; it is not the simple slap on the wrist that the hon. and learned Gentleman suggests.
Mr. Garnier: I do not want the Minister to get the impression that I am in the least bit sympathetic to potentially serious criminals, who need to be investigated and prosecuted. It is often said about those who are acquitted justifiably of criminal offences before the Crown court that the acquittal is vindication enough. One of the problems is that in the sort of area that we are talking about, particularly that which my hon. Friend the Member for Mole Valley is discussing, the reputation of someone who is known to have had their computers investigated by the police in relation to paedophile activity is probably ruined for ever, even though they may ultimately be found not guilty of any offence.
Perhaps the rather clumsy expression I used in my opening remarks is better edited: although equality of arms might be impossible to achieve, we must have an understanding of the damage that can be done to innocent people, particularly in such circumstances. Although I appreciate that the power to award compensation is available to the tribunal and the commissioner, there is a need for vindication and for someone to be able to clear their reputation in the event that they are unwittingly and unjustly caught up in this sort of investigation.
Mr. McNulty: I entirely accept that point. I thought that the hon. and learned Gentleman was suggesting that there was not sufficient penalty on the side of those who capriciously, recklessly and so on pursue such an investigation against an individual—through the tribunal system there is. Particularly, but not only, where it is proved that pursuit of an individual has been reckless, capricious or malicious, the points made about vindication and damage to that individual are entirely fair and must be borne in mind.
The hon. and learned Member for Harborough and the hon. Member for Cambridge made a lot of comments, which I shall address in no particular order. I think that I am right that the point about providing assurance, which is expressed in that strange way in section 3.17 of the code, means that the single point of contact is, effectively, the angel sitting on the side of the designated person to assure them at every stage that what they are doing is duly legal and compliant with the law. In that context, as ever with legal language, assurance has that inference in statute—the hon. Member for Cambridge will know that far better than I. Furthermore, there will be an obligation on the single point of contact to tell the individual, every now and then, that which they might not want to hear. It is a sort of quality-assurance guardian-angel approach.
The hon. Gentleman was not entirely right when he said that we would be better served if the document contained all sorts of technical specifications, because those will change. The orders provide for broad, overarching codes of practice. Those involved on a regular basis with that body of the work will know the most appropriate way in which to do that. In that regard, the NTAC will offer advice and provide secure facilities, but it might be a tad excessive not only to have the two documents under discussion, but supplementary technical specifications about the best way to do things.
I meant to say earlier that I would never contemplate telling the hon. and learned Member for Harborough that if he cannot be bothered going to a library, it is his look- out. That is not the sort of the language that I use, or my approach to such matters. As for his broader point, I have dealt with that already.
In 2006, some purposes were added by order to the list contained in the 2000 Act. Those were:
“(a) to assist investigations into alleged miscarriages of justice;
(b) for the purpose of—
(i) assisting in identifying any person who has died otherwise than as a result of crime or who is unable to identify himself because of a physical or mental condition, other than one resulting from crime”—
such as one resulting from a natural disaster or accident—
(ii) obtaining information about the next of kin or other connected persons of such a person or about the reason for his death or condition.”
Apart from the language in which they are written, those are all perfectly reasonable additions to the order. The explanatory memorandum states:
“Tony McNulty, Minister of State for the Home Department, has made the following”—
“statement regarding Human Rights:
‘In my view the provisions of The Regulation of Investigatory Powers (Investigation of Protected Electronic Information: Code of Practice) Order 2007 are compatible with the Convention.’”
I think that I might have said—rather rashly—the same about the other order in the explanatory memorandum, so we do believe that they comply. [Interruption.] No, I did not just sign it; I did so with the full understanding of what I was signing.
Mr. Garnier: We are hugely reassured.
Mr. McNulty: Well, there we are. I have read the orders carefully and signed accordingly. I am not so foolish as to sign anything that is put under my nose.
The point about multi-use keys was interesting in the sense that the disclosure notice should be specific about what encrypted data, or otherwise, is required—and that is all. As has been suggested, particular care should be taken when a multi-use key is required to access protected information or disclose it in an intelligible form. The notice must explain explicitly what is required and that it is proportionate to what is sought to be achieved. I take the point that as the order puts in place the code of practice, and as the technology develops, the industry and the authorities might need to look again at that.
I thought that that was a perfectly fair point, as was the point about how a key can be retained in an individual’s memory. In reality, as I have said, the prosecutor can never prove that the defendant has not forgotten. However, it is incumbent on the prosecution to prove by physical evidence—either by recent usage tracked or in some other fashion—that the individual has used the key recently. It is not enough to say, “Well, you might have forgotten, sonny, but we are going to beat it out of you anyway”. The burden is on the prosecution to say, “There is an encryption key to the data. You have used it recently because we have evidence of such use or we have evidence of data that shows clearly that you must have a key.” It is not put in the most perfect way in the code of practice but, with the shift in the burden of proof suggested by the hon. Member for Cambridge, it achieves what is ultimately required.
Mr. Garnier: It often happens that prosecutions prove their cases on the basis of reasonable inference. Obviously, the inference has to be proved to the requisite standard of proof, but inferential cases adduced by prosecutions are not unheard of.
Mr. McNulty: Will the hon. and learned Gentleman repeat his response? I missed the last bit.
Mr. Garnier: It is not uncommon for the prosecution to prove a case, when it does not have physical evidence, on the basis of an inference or an inferential case. If a person has done certain things in the past, the chances are that that person has done such things now. A set of circumstances is built up, which inevitably—as the prosecution would say—leads to the conclusion that the person must have so acted.
With the greatest respect, many other points were more about the parent Act, RIPA, than the specifics. It sounds complicated, but the matter is straightforward. I take the point that all three—the single point of contact, the designated person and the applicant—should not be the same person. Paragraph 3.19 of the code covers the issue in the sense that the single point of contact may be an individual who is also a designated person. We have that combination. The single point of contact may be an individual who is also an applicant, which is perfectly reasonable. The same person should not be an applicant, a designated person and a single point of contact. Equally, the applicant and the designated person should not be the same person. I accept that that reads a little like an IQ question, such as what combinations remain and what combinations can there be, but having read the provision a few times it covers the matter.
It is absolutely crucial that the individual should not be the single point of contact, the designated person and the applicant, and that the same person should never be both the applicant and the designated person. There are combinations when the single point of contact comes into play, but the fear of the hon. Member for Cambridge about a conflict of interest or a common interest when there should not be one is covered discernibly by part of the code, although perhaps he should read it again—or perhaps I should read it again.
David Howarth: We should all read it again. The specific problem concerns the applicant and the authorising official. If we can have the Minister’s assurance on that particular point, all the other matters will be less important.
Mr. McNulty: Paragraph 3.19 is absolutely clear. It states that the same person should never be both the applicant and the designated—that is, authorised—person. That is entirely fair.
Any foreign authority within the European Union will be bound by the same directive. I shall write to the hon. Gentleman and members of the Committee to clarify matters. It is stated that the starting point for any public authority needing to disclose communication data outside the European Union is to assess whether the data will be adequate and protected, and what steps can be taken to ensure that that is so. That is fine. It tells me that the hon. Gentleman’s point is therefore covered.
However, I am not sure about the incumbent duty on the public authority in the United Kingdom to desist from providing such data if that data cannot be adequately protected or the steps necessary to do so cannot be assured.
David Howarth: My main point was how a public authority that has some other function makes the judgment. Surely the Information Commissioner is in a much better position to make judgments about the situation in other countries than the public authorities that we are discussing. Should not there be a duty on the public authorities to consult the Information Commissioner, not only a suggestion that they might—as appears to be the case at present?
Mr. McNulty: Without besmirching the reputation of the Information Commissioner in any way, I am not sure that he would necessarily have that information to hand, so I do not know whether that duty would be appropriate. I will explore the matter, and get back to the hon. Gentleman about the strength of the duty to get further advice. It may be that NTAC or some other body can provide that. As he suggests, the point about the incumbent duty on the public authority to ensure that security and other elements are available for sharing with non-EU people is fair, and I shall consider that.
Again, the point about e-mail headers is perfectly fair. I am told that work is being done with communications service providers to ensure that e-mail subject lines are not disclosed under the RIPA provisions. Often, with short e-mails the header line becomes the substance of the e-mail—I certainly do not bother going down a further line to read the body of the email. Work is being done under the broader RIPA provisions for precisely the reason that the hon. Gentleman suggests, which is that the e-mail header line is not secure.
Given the substance of the regulatory framework that is imposed by the 2000 Act and its interplay with both the guidance and the code of practice, I think that on balance, with the penalties imposed as they are, self-authorisation is appropriate for the reasons that are laid out in the code of practice. That is a matter of judgment, but I think that there would need to be an entirely new paraphernalia established in the courts, or under the Information Commissioner or whatever, if every single authorisation for involvement in such matters had to go before an outside regulatory body. The important element is that the regulatory framework, the code of practice, the guidance, and the interplay with the Information Commissioner work well. Thus far, I have no reason to suspect that they have not worked well or that they will not continue to do so.
There is a fear, which the House may need to deal with in three or five years’ time, about the sheer volume involved as more and more of our daily business is transacted in such a fashion, but that is a different point from the main issue. I am told—by the magic of inspiration that comes from my wonderful Parliamentary Private Secretary—that inquiries that go beyond the EU will be routed through the Serious Organised Crime Agency, which is our focal point, and through Interpol and other agencies. Again, I say quite freely that there are issues relating to the constituent member states of Interpol. Membership of Interpol does not mean utter integrity, security and all the other elements involved with data.
Sir Paul Beresford: I would like to help the Minister a little because Sir Ken Macdonald was asked about that very point yesterday. He was also asked about the close relationship between his service and his opposite numbers in a number of other countries. He said that such relations depend on careful recognition of the countries and the nature of those countries and whether they may have officials, politicians, police and so on who are corrupt. The information that they transfer is limited, in recognition of those facts, so in effect that is happening without the regulation.
Mr. McNulty: That is right and proper. Much more can be deduced from those connections than from imposing a statutory duty on the Information Commissioner. Action is being taken, but I am not sure that I would agree that it needs to be taken in the way that the hon. Gentleman suggested.
I apologise if my comments have not covered every nook and cranny of the questions raised, which were all perfectly fair inquiries or comments, but I have finished. I commend the order to the House.
Question put and agreed to.
That the Committee has considered the draft Regulation of Investigatory Powers (Acquisition and Disclosure of Communications Data: Code of Practice) Order 2007.

DRAFT REGULATION OF INVESTIGATORY POWERS (Investigation of Protected Electronic Information: Code of Practice) Order 2007

That the Committee has considered the draft Regulation of Investigatory Powers (Investigation of Protected Electronic Information: Code of Practice) Order 2007.—[Mr. McNulty.]
Committee rose at twenty-six minutes to Six o’clock.

House of Commons home page Parliament home page House of Lords home page search page enquiries ordering index

©Parliamentary copyright 2007
Prepared 18 July 2007