The
Committee consisted of the following
Members:
Chairman:
Mr.
Eric
Illsley
Battle,
John
(Leeds, West)
(Lab)
Beresford,
Sir Paul
(Mole Valley)
(Con)
Blunt,
Mr. Crispin
(Reigate)
(Con)
Burden,
Richard
(Birmingham, Northfield)
(Lab)
Campbell,
Mr. Alan
(Lord Commissioner of Her Majesty's
Treasury)
Clegg,
Mr. Nick
(Sheffield, Hallam)
(LD)
Clelland,
Mr. David
(Tyne Bridge)
(Lab)
Corbyn,
Jeremy
(Islington, North)
(Lab)
Garnier,
Mr. Edward
(Harborough)
(Con)
Hepburn,
Mr. Stephen
(Jarrow)
(Lab)
Hewitt,
Ms Patricia
(Leicester, West)
(Lab)
Howarth,
David
(Cambridge)
(LD)
McNulty,
Mr. Tony
(Minister of State, Home
Department)
Osborne,
Sandra
(Ayr, Carrick and Cumnock)
(Lab)
Reed,
Mr. Jamie
(Copeland)
(Lab)
Scott,
Mr. Lee
(Ilford, North)
(Con)
Shepherd,
Mr. Richard
(Aldridge-Brownhills)
(Con)
Hannah
Weston, Committee
Clerk
attended the Committee
Fifth
Delegated Legislation
Committee
Tuesday
17 July
2007
[Mr.
Eric Illsley
in the
Chair]
Draft Regulation of Investigatory Powers (Acquisition and Disclosure of Communications Data: Code of Practice) Order 2007
4.30
pm
The
Minister of State, Home Department (Mr. Tony
McNulty):
I beg to
move,
That
the Committee has considered the draft Regulation of Investigatory
Powers (Acquisition and Disclosure of Communications Data: Code of
Practice) Order
2007.
The
Chairman:
With this it will be convenient to consider the
draft Regulation of Investigatory Powers (Investigation of Protected
Electronic Information: Code of Practice) Order
2007.
Mr.
McNulty:
I warmly welcome you to our deliberations,
Mr. Illsley, and thank you for chairing todays
proceedings. I say that with a slight smirk on my face because I forgot
to make such a remark yesterday to Mr. Hancock. Kind as my
colleagues are, they reminded me of it throughout the 50 minutes of
those proceedings, so I am pleased that I remembered to offer a welcome
today.
The orders are
made under section 71 of the Regulation of Investigatory Powers Act
2000 and were laid before Parliament on 14 June. The purpose of the
first order is to secure approval for a draft code of practice relating
to the acquisition and disclosure of communications
data under the 2000 Act, the acquisition of data by public authorities,
and its disclosure by communications service providers. Communications
data such as telephone and internet subscriber
information, allocation of internet addresses, itemised call records
and mobile phone location data, remain vital tools in the prevention
and detection of crime and in safeguarding the public. Data about who
contacted whom and when provide evidence of association between
individuals and of the time and place of events, corroborate the
testimony of victims and witnesses, and provide evidence of innocence.
Most importantly, such data are not about the content of
communications; they do not include what was said in telephone calls or
written in emails.
The
provisions in chapter 2 of the 2000 Act were implemented in January
2004 and brought long overdue regulation to public authorities
acquisition of communications data. The provisions are exercised under
the vigilant oversight of the interception of communications
commissioner, Sir Paul Kennedy, who is assisted by a team of inspectors
who scrutinise public authorities conduct in obtaining
communications data.
A draft code of practice has
been in place since the implementation of the provisions. It is been
extensively revised to take account of what happens in practice and to
address issues about which public authorities
and communications service providers have sought guidance or
clarification. Sir Paul and his inspectors contributed significantly to
the development of the code of practice, as did respondents to a public
consultation on the draft. The code presented to Parliament sets out
procedures that will ensure proper respect for individual human rights
and reflect the reality of operational and investigative
work.
Application of
the code will significantly reduce unnecessarily bureaucratic
processes. The code makes it clear that a senior officer may authorise
the obtaining of subscriber information without needing to know which
service provider operates the phone number; that it
is unnecessary to undertake a subscriber check prior to and separate
from checking call records; and that a single authorisation may cover
the acquisition of specific data and additional data that might be
necessary for interpretation of the
former.
When data are
required in an emergency, no special internal paperwork will be needed,
but the public authority must collate evidence of its decision making
in operational logs, which must be available to the
commissioners inspectors. Reflecting the operational practice
of many years, the code makes it clear that a situation in which a 999
emergency call connection is lost and information is needed to provide
emergency assistance to a caller within the so-call golden
hour is outside the arrangements of the
Act.
The code makes
it clear that only appropriately trained and accredited investigators
who understand the legislation may engage with communications service
providers, to spare them from ill-informed, impractical and unlawful
inquiry.
I shall now
turn briefly to the investigation of protected electronic information
order. By it, we are seeking the approval of a draft code of practice
relating to the exercise of the powers and duties under part III of the
2000 Act to require the disclosure of protected electronic data in an
intelligible form, or to require a key or password to access those
data. Part III gives public authorities no new powers to seize or
acquire data. It does, however, give them powers, which are to be used
only when necessary and appropriate, to require data that they possess,
or are likely to possess, to be made intelligible or to require
disclosure of the key that will make such data intelligible.
The provisions are not in
force. It has taken longer than was expected in 2000 for the same
technologies that have enabled electronic commerce to develop to be
taken up by terrorists and criminals to secure their information and
protect and conceal evidence of unlawful conduct. Equally, encryption
tools have remained cumbersome to use properly, and that has been
exploited by technical facilities, such as the National Technical
Assistance Centre, which process protected data on behalf of law
enforcement and intelligence agencies.
Encryption tools are, however,
becoming easier to use and are being installed in the standard
operating system of consumer devices. The impact of encrypted data on
the work of investigators and their ability to work within statutory
custody time limits is increasing and will keep increasing. The
Government have been clear that the provisions before us would not
enter into
force until the time was right for them to do so and Parliament had
approved a code of practice. We believe that the time is now
right.
The code of
practice addresses issues on which Parliament sought clarification when
the primary legislation was debated and takes account of the comments
of respondents to public consultation. It also makes it clear that the
overriding purpose of the provisions is to enable investigators to
access lawfully acquired information in an intelligible form, not to
access the keys to data.
We can expect the power to
require disclosure of key material to be used only where a person who
is able to put protected information into an
intelligible form indicates that he will not exercise that
ability voluntarily or on compulsion. The power is most likely to be
exercised in relation to individuals who are the subject of
investigation and who are responsible for protecting information that
the authorities have obtained lawfully and which they believe to be
evidence of unlawful conduct or material relevant to their
investigations.
Once
the provisions are in force, it will be an offence knowingly to fail to
comply with the disclosure requirement, with a maximum penalty of five
years imprisonment in national security cases, and two
years in other cases. We have consulted on whether the
five-year penalty should be available in cases relating to the
possession of indecent images of children, and there is support for
that, which would require an amendment to the primary legislation. We
will consider taking that step after assessing how the provisions are
used.
When the
primary legislation was debated in Parliament, much concern was
expressed about the possibility that it would criminalise people with
poor memories or reverse the burden of proof on those who
claimed to have forgotten or lost the keys to their data. The code
makes it clear that where a person claims not to have had a key to the
data, the prosecution must prove the contrary beyond reasonable doubt.
Furthermore, if a person says that they no longer have the key to the
data or that they do not know it, the prosecution must prove the
contrary beyond reasonable doubt.
In direct response to concern
expressed in public consultation, technical expertise
is required to understand and apply the legislation appropriately. The
code of practice makes it clear that no public authority may serve any
person a part III notice without NTACs prior written approval.
In that way, NTAC will play a crucial role in ensuring that the
provisions are used appropriately, expertly and with the highest regard
for compliance with the requirements and principles of the Act and the
code. NTAC will also help to assure the various oversight commissioners
of that.
Recognising
the critical importance of the integrity of information security in the
financial services sector, and in response to the concerns of
Parliament and the public, the code makes it clear that no requirement
to disclose a key to protected information should be imposed on any
company or firm authorised by the Financial Services Authority without
prior notification being given to the authoritys chief
executive or to a person designated by him for that purpose.
Finally, as an additional
safeguard against abuse, both codes of practice make it clear that if
an oversight commissioner establishes that an individual has been
adversely affected by any wilful or reckless failure by any person in a
public authority to comply with the Act, the commissioner shall,
subject to safeguards and national security, inform the affected
individual of the existence of the investigative powers tribunal, which
considers complaints about unauthorised or
inappropriate conduct. That should enable that person effectively to
engage the tribunal.
Subject to Parliaments
approval, both codes and the provisions of part III will commence on 1
October 2007. Arrangements for delivering briefings to practitioners
and other interested parties on the detail of the new provisions and
the codes are being planned. The primary responsibility of any
democratic state is to protect its citizens, whether from the threats
posed to all of us by terrorism or, in the case of our most vulnerable
citizens, from the threat posed by sexual predators. It is right that,
in doing so, the Government strike the right balance between the rights
of communities and the rights of individuals. I believe that the
guidance in both codes of practice does precisely
that.
4.40
pm
Mr.
Edward Garnier (Harborough) (Con): I welcome you to the
Committee, Mr. Illsley. We touched upon many of the issues
of principle that relate to these orders in another statutory
instruments Committee yesterday. I have a number of points to make in
the context of the official Opposition broadly welcoming the recent
publication of the codes of practice and their implementation as from 1
October. We understand the need for, and support, the introduction of
measures that will bear down on terrorists or potential terrorists and,
as the Minister mentioned, those who indulge in child sexual abuse
through the internet and other electronic means.
It would be helpful, however,
when we are dealing with legislation such as the Regulation of
Investigatory Powers Act 2000, for measures such as the two orders to
be brought before Parliament rather more quickly than almost seven
years down the line. The Minister has on his desk draft copies of the
two codes of practice that we are discussing. I cannot imagine why
somebody did not think of drafting the codes either during the time
that the Bill was before Parliament, or in sufficiently good time for
the Committee to be able to study them. I appreciate that the codes
have been placed in the Libraries of both Houses but, on a matter of
such importance, the information ought to have been made more widely
accessible and available.
The Minister may well say,
If you cant be bothered to go to the Library and find
them, thats your lookout. That would be a perfectly
good answer, but it would not be an entire answer. As a matter of
procedureit is not limited to these circumstancesI urge
the Government to ensure that the codes of practice are made more
widely and easily available not only through the Vote Office in the
Palace, but in Portcullis House and other outer offices. That it is not
so much nit-picking as a matter of how such matters are generally
presented.
It is important to bear
precisely what we are talking about in mind by looking at the 2000 Act.
Parliament has given permission to a number of interesting people to
discover who has been metaphorically talking to whom. If one looks at
section 21, one will see that certain things must be looked at before
such investigations can take place. The note in the margin beside
section 22 tells us that it is about:
Obtaining and
disclosing communications
data.
Section 22(1)
states:
This
section applies where a person designated for the purposes of this
Chapter believes that it is necessary on grounds falling within
subsection (2) to obtain any communications
data.
Section 22(2)
states:
It is
necessary on grounds falling within this subsection to obtain
communications data if it is necessary...in the interests of
national
security
nobody
would have a quarrel with
that
for the
purpose of preventing or detecting crime or of preventing
disorder.
Again,
subject to understanding more precisely what preventing
disorder means, I do not think that anyone would quarrel with
that. It also uses the
phrase,
in the
interests of the economic well-being of the United
Kingdom.
Again,
subject to the code of practice dealing in some detailed way with what
that is supposed to mean, I dare say that most people would be
satisfied with that. Other grounds include the necessity to include
data
in the interests
of public safety...for the purpose of protecting public
health...for the purpose of assessing or collecting any tax, duty,
levy or other imposition, contribution or charge payable to a
government
department
here,
I think, I we are moving into different territory
for the purpose, in an
emergency, of preventing death or injury or any damage to a
persons physical or mental health, or of mitigating any injury
or damage to a persons physical or mental
health,
which,
depending on the circumstances, may or may not be wholly publicly
acceptable, or
any
purpose (not falling within paragraphs (a) to (g)) which is specified
for the purposes of this subsection by an order made by the Secretary
of State.
Here we are
getting into the territory of Henry VIII, where the Government can, by
order, add to or take away from the sorts of circumstances that would
allow that form of investigatory power to be used.
Section 22(3)
states:
Subject to subsection
(5), the designated person may grant an authorisation for persons
holding offices, ranks or positions with the same relevant public
authority as the designated person to engage in any conduct to which
this Chapter applies.
I put that issue to the Minster
yesterday over the self-authorisation of public authorities to give
permission to people to engage in what might, in some circumstances, be
a highly intrusive and not altogether welcome type of inquiry. As I
mentioned at the outset, I make that point in the context of
understanding the policy behind both the Act and the two statutory
instruments, but I think that we need to be extremely careful, as do
the Government on our behalf, that those codes and draconian powers are
not misused.
While I appreciate that Sir
Paul Kennedy, as the commissioner mentioned in the document, has had,
and no doubt he and his successors will continue to have, a close
interest in how those codes are abided by. I think that, as elected
representatives, we need to be careful to ensure that those codes are
not abused, are properly complied with and policed.
Section 25
states that a relevant public authority means a police force, the
National Criminal Intelligence Service, the National Crime Squad, the
commissioners of Customs and Excise, the commissioners of Inland
Revenue, any of the intelligence services and
any such public authority not
falling within paragraphs (a) to (f) as may be specified for the
purposes of this subsection by an order made by the Secretary of
State.
I like
to think that no Home Secretary is going to introduce, simply on a
whim, a strange definition of a public authority that does not come
within the broad ambit of those that deal with crime and
counter-terrorism. In so far as tax evasion is a crime, I include the
commissioners of the Revenue within that wider definition. However, I
frequently worry about how the Government have given themselves
increased powers to make orders and add to the criminal law by
secondary legislation. I think that we, as a Parliament, need to be
careful about letting that happen almost as a matter of
routine.
The 2000
Act, as the Minister fairly said, provides for severe custodial
penalties for those who fail to comply with the demands of various
public authorities that have been designated and can require access to
particular data. Again, I can understand the reason for that;
it might encourage them to disgorge the information more carefully and
quickly. However, I like to see some sort of balance. In the codes, as
I understand it, there are no personal liabilities that fall upon
individuals of a criminal nature, and I am encouraged in that line of
argument by section 72(2), which states:
A failure on the part
of any person to comply with any provision of a code of practice for
the time being in force under section 71 shall not of itself render him
liable to any criminal or civil
proceedings.
I
can imagine circumstances in which someone might be put to huge
economic or other inconvenience and damage by means of a mistake or a
malicious designated authority seeking material from him. Unless the
code provides for meaningful remedies, I am saddened to say that the
codes leave the citizen in a state of imbalance against the state. The
state and the citizen should, by and large, be equal before the law. It
may be that the citizen is a malefactor or is hiding things from the
criminal investigative authorities that ought to be disclosed, but
where there is a chance that there has been mistake or misbehaviour by
the authorities, the citizen should have means of adequate redress. For
the code simply to allow Sir Paul or his successor to slap the chap
over the wrist is not necessarily the right way to go about
things.
The Minister
might be able to take my fears away completely and demonstrate that
there is an equality of arms before the law and that although the code
is not as publicly available as I should like it to be and although the
Government have given themselves permission to make further orders and
powers that we have yet to see and know little about, the overall
policy
behind the measures could loosely be described as beneficial. To that
extent, the official Opposition is prepared to give them a fair
wind.
4.52
pm
David
Howarth (Cambridge) (LD): It is a great pleasure to serve
under your chairmanship again, Mr. Illsley. As far as I am
aware, my party did not ultimately oppose the 2000 Actin the
Commons, at leastsubject to several concerns about what might
be in the codes of practice. In particular, there were concerns about
compliance with the Human Rights Act. Each of the codes before us
starts with a simple injunction to obey the Human Rights Act and gives
a few simple instructions about how to do so, but I still have several
questions about each code.
I shall start with the part 3
code on the investigation of protected electronic information, which
concerns encryption and keys, because that is the most serious of the
serious issues before us. My first question is about multi-purpose
keys, about which concerns were raised when the 2000 Act was debated.
It is possibleindeed, likelythat someone who has an
encryption device will use it for electronic signatures, and there was
a worry that the powers in the Bill would undermine certain aspects of
e-commerce. The hope was that the code of practice would sort out the
problem of multi-purpose keys. I may not have absorbed every word in
the code, but, as far as I can see, it deals with the problem simply by
saying, at 3.28, that particular care should be taken
with such keys, and, at 8.4, that extra care should be
taken. Simply saying, Be careful, is not very specific
guidance, so will the Minister say a few more words on how it is
envisaged that the problem will be
solved?
My second
point concerns the Ministers comments on section 53(2) and the
apparent reversal of the burden of proof in circumstances where someone
has, or had, a key such as a password or a PIN, and is subsequently
required to reveal it. What happens if they claim to have forgotten it?
That does not seem an unrealistic problem, especially these days when
there are so many cards and websites that require us to have PINs or
the equivalent. One has these choices. One either chooses the same PIN
all the time, which is extremely risky, one attempts to remember too
many PINs, which cannot be done, or one writes them down, which one
should not do, too. It is not an impossible set of circumstances to
envisage.
I was glad
to hear the Minister say that the code interprets the section as saying
that when a person is in that position, it is up to the prosecution to
prove that the circumstances are as it says, rather than those that the
person subject to the obligation says. The problem is that I am not
entirely clear how that fits with the words in the statute. I do not
want to read out the whole of section 53, because it is very dense. It
relates to the difference between the situation when the person came
into possession of the key, and the position later on when he continues
to be, at least according to the law, deemed to know what the
information was. Will the Minister tell us precisely how the code
protects a person in that position? Obviously codes can say how the law
is to be applied, but they cannot change the wording of the statute
itself.
The third point was also raised
when the 2000 Act was discussed, and it has also been discussed by the
Trade and Industry Committee. It is the question of the
protection of seized keysthe protection of information under
the powers of the Act from being misused or slipping out of the custody
of the authorities. This issue is covered in section 8 of the part 3
code. What it says is little more than a bit of common sense, plus some
instructions on how to ensure that items are kept physically safe and
some sensible advice about not leaving information in laptop computers.
Given the various problems we have had with laptop computers in recent
years that is obviously
sensible.
The code
lays out how information or devices should be physically made safe, but
it does not lay out in any great detail how they should be made safe
electronically. The desire at the time was for the code to go into some
detail about technical standards. The code does not seem to have done
so. The hon. and learned Member for Harborough raised the question of
the lack of criminal liability in circumstances where the authorities
fail to fulfil their obligations, such as the obligation to protect
keys that they have seized. It is very clear under section 55(4) that
there is civil liability in those circumstances. Will the Minister
clarify what actionable loss is envisaged under that provision? What
are people allowed to sue for? For what consequences are they allowed
to get
compensation?
Secondly,
especially in view of the later section, is it the Ministers
understanding that a breach of the codefor example, of the very
sensible things that the code says about keeping seized keys under lock
and keywould count as a breach of the civil obligation, or at
least as evidence of such a
breach?
My fourth
point on the part 3 code concerns a similar issuethe
compromising of the security of third parties and innocent parties.
There is a risk in these operations that the security of data of people
who know nothing about the operation or the underlying
investigationinnocent third partiesmight be compromised
by a side wind of the investigation. The problem, which was raised
during the passage of the 2000 Act, is that people in that situation
will not normally know that that has happened. I was interested to see
how that would be dealt with in the code, but I could not see anything
about it.
Turning to
the part 2 code, a lot of the concern about part 2 of the 2000 Act
concerned the definitions that it containedthat of traffic
data, for exampleand the problem of confining the powers in
that part of the Act to information about where a particular e-mail had
been or what numbers a particular telephone had called, as
opposed to the content of the communication, which is a different
problem and is dealt with in a different way. Such datawhere an
e-mail has been, which internet server somebody has used, or which
number somebody has calledused together in sophisticated ways
developed since the early 1980s can reveal extraordinary amounts of
information about somebody. In fact, they can be used to produce a sort
of X-ray of the social structure. We are not, therefore, talking about
entirely trivial matters.
The main concern was about
separating such traffic data from content, and that was largely allayed
during the passage of the 2000 Act. However, there are still a
couple of questions to be asked. For example, the code
mentions using e-mail headers and e-mail routing information, and it
refers to the problem that if one uses that information, it will
invariably include a subject linewhat the e-mail was
aboutand subject lines are content, not traffic data. How do we
ensure that the right procedure has been followed, if that content is
to be used? I am not clear how the code of practice deals with that
matter. It seems to point out that it is a problem and that people
should be careful about it, but it does not say what they are to do
about it.
The second
problem is the one that was raised by the hon. and learned Member for
Harborough about self-authorisation. It does not seem that the code of
practice deals with that thoroughly. In small organisations, in
particular, it is possible for a person to authorise himself to carry
out a searchto be the applicant and the designated person in
terms of the Actwhich does not seem satisfactory. Although
section 3.19 of the code says, and perhaps the Minister will confirm
this, that it is not possible to fulfil all three roles set up by the
Actthe single point of contact, the designated person and the
applicantor that that would be bad practice, it appears to say
that it is perfectly good to be any two of them. That would set up a
conflict of interest and reduce the amount of scrutiny that a
particular application might go
through.
There is a
similar problem in relation to section 6.25 of the code, which concerns
self-authorisation and what is called excess data, where more data come
out of an exercise of that sort than was originally envisaged. What
happens then, and can that data be used in another
way?
My third point
is a minor, perhaps linguistic, point. In relation to section 3.17, I
am not sure why the role of the particular officer in such a case is to
provide assurance about various things. I want to ask the Minister why
that particular language was chosen. To provide
assurance sounds like someone is being reassured, even if
something is not true. It is an odd choice of words, and I wondered
what lay behind
it.
Finally,
there is the question of disclosure to overseas authorities, and I
gather that there was a discussion in a Committee yesterday about the
problem of cross-border communication. The problem is that the public
authority concerned appears to have the power to decide whether to
provide information to an overseas authority, even where the country in
question does not have an adequate data protection
scheme.
The code says
that the public authority may ask the Information Commissioner for
guidance, but it seems to me that that is not enough. I would like to
ask the Minister why it was not proposed that the Information
Commissioner should, for example, maintain a list of countries that do
not have adequate data protection laws and state what the particular
risks are under the regimes in those countries. If we do not have a
list of that sort, I cannot see how public authorities such as the
police or the security services could know very much about the data
protection schemes and their particular flaws in all the countries of
the world. The person best placed to do that sort of research seems to
be the Information Commissioner. Adding to that, we should put an
obligation on the public authorities to
consult the Information Commissioner, rather than simply suggesting that
that they might want to do something, if they feel like it.
With those questions in mind,
I am not minded to divide the Committee, but I will ask the Minister
for some satisfaction on those particular
matters.
5.8
pm
Sir
Paul Beresford (Mole Valley) (Con): I also welcome you to
the Chair, Mr. Illsley, and hon. Members to the
Committee.
I am
supporting my Front-Bench colleagues in their support for the orders,
but perhaps from a slightly different position. My particular interest
is the encryption regulation, as the Minister will be aware, having
been tipped off by his officials that I am likely to approach the issue
from that particular angle.
The importance of encryption
is that the police have been waiting for seven years, as my hon. and
learned Friend the Member for Harborough pointed out, for this
particular statutory instrument to go through, because they want to use
the legislation in serious cases involving fraud, serious robbery,
smuggling, human trafficking and paedophilia, just to touch on a few.
It is vital that the police can access the information that is on the
computers. They increasingly find when they get to encrypted computers
that the hard drive is not even there, that the individual has logged
on using a floppy disk or that a PIN or key is needed to access the
information.
The
police are also becoming increasingly aware that the quality of
encryption is improving dramatically. I understand that it is quite
simple to download free software on the internet, such as 256-bit
software, so that the encryption cannot be broken by the facilities
available to us. The latest and more professional form of Vista
software that is becoming available automatically encrypts the moment
the computer is turned off. Yesterday, Sir Ken Macdonald, head of the
Crown Prosecution Service, addressed the all-party group on human
trafficking. I asked him about this particular piece of legislation and
the fact that there was a maximum penalty of two years. His answer was
politely derisory. He said that serious criminals will not be bothered
by this sort of legislation. I refer to that, because the Minister has
said that the Government are re-examining foreign legislation
and considering moving on before primary legislation as a result of
this particular instrument. The reality is, however, that it will not
work.
May I ask the
MinisterI did this once before with one of his
predecessorsto step into the shoes of a paedophile? I am sure,
and I hope, that he will find that difficult. He is a typical
paedophile, sitting at his computer. He has a collection of data in
front of himthat data incriminates himself and some of his
colleagues, because even though they are loners, they often work
togetherand pictures of children. The police would like those
pictures, because they want to find, help and bring health services to
those children. They want to break the cycle of abuse whereby those who
are abused often go on to
abuse.
If the
instrument worked, the key would be given. The criminal would go
awayif I can use that colloquial phrasefor a very long
time and end up
being on a sex offenders register. If the option is not to give it and
have a maximum of two years, of which the criminal will probably only
serve one, the choice is obvious. At the end of that sentencea
very short sentencehe will not even be on the sex offenders
register, unless the matter relates to other criminal events for which
he or she has been found
guilty.
In essence, I
welcome this measure, even though it is scratching rather than breaking
the ice, it is seven years late and it is timid. Therefore, I ask the
Minister not to wait to assess how the instrument works, but to
recognise the results of the consultation that has already gone on and
come back with legislation that greatly strengthens that.
As the Minister will have been
advised, there is a general feeling among those who are concerned that
two years should be 10 for paedophile activities and
also, I suspect, for human trafficking. Therefore,
although I welcome the measure, it is timid and
late.
5.13
pm
Mr.
McNulty:
Let me start on that last point. There are
difficulties, and I have said that the matter should be reviewed. The
Government have always recognised the concern that an offender may
happily accept a lesser sentence for fear of what might be revealed if
the key and the encryption is secured, which would result in a much
longer sentence. We cannot impose the penalty for the predicate offence
in the absence of evidence for that offence, otherwise there will be a
disproportionate penalty for the offence of failing to disclose the
information in the first place, which sounds like legal gobbledegook,
but it makes sense to
me.
Mr.
McNulty:
I am grateful to the hon. and learned
Gentleman. However, it is a genuine concern and one worth considering.
The position that the hon. Member for Mole Valley poses is quite real.
Let us suppose that someone does not give up the key or encryption and
they are the only one with that key: the data on their machine that
could cost them eight, 10 or 15 years would not be cracked. If the
penalty for non-disclosure is two years, it is not hard to work out the
attraction of the respective alternatives. It is an area that we need
to look at in more detail. Off the top of my head, and happily I am no
lawyer, 10 years for claims, assertions or suspicions in respect of
paedophile information being on computers and for failure to disclose
that information would appear, from what I know about the rest of the
law, to be a disproportionate response. However, we need to consider
that in the broader sense, beyond these orders.
I know that the hon. Gentleman
has met the Under-Secretary of State for the Home Department, my hon.
Friend the Member for Gedling (Mr. Coaker), among others, to
discuss this, and that it is an ongoing concern. In this instance at
least, I did not need people who are not in the Room to tip me off; I
already knew about his interest.
Sir
Paul Beresford:
I thank the Minister for his partial
reply. May I remind him of the consultation that has been going on for
some considerable time?
There is a possible target of opting for 10 years instead of two on the
basis that the criminal will already have been convicted, or will be in
the process of being convicted, of paedophile activities. That, to some
degree, knocks his
argument.
Mr.
McNulty:
I accept that; we need to look into this in more
detail.
I do not
accept the point made by the hon. and learned Member
for Harborough about the Governments failure in terms of the
drafts. Draft codes have been around since 2000, when the RIPA was
passed. The communications data code has been published by the Home
Office since January 2004 and revised frequently, and the draft
encryption code was published in the first instance and then revised in
March 2006. I take his practical point that it might have been a
courtesy appreciated by all Committee members had the two most recent
drafts landed on their desks along with the rest of the papers. I take
that as a concern, but it is wrong to suggest that the codes have only
just arrived and have not been around in some draft form or other for
the past few years.
It would be difficult to get
to the literal equality of arms that the hon. and learned Gentleman
suggested: two or five years versus what befalls a transgressor, in
terms of a designated person or anyone else. The role of the
commissioner and the tribunal could not be described as simply
involving a slap on the wrist. As others have said, it opens up the
possibility of awards for damagesit has done soand for
the destruction of information. In this world, although someone who has
this sort of transgression against their name may not be incarcerated,
they would find it difficult to secure similar work in such a sensitive
field. It is a big deal to transgress and then be taken through the
whole tribunal process, with the potential for damages; it is not the
simple slap on the wrist that the hon. and learned Gentleman
suggests.
Mr.
Garnier:
I do not want the Minister to get the impression
that I am in the least bit sympathetic to potentially serious
criminals, who need to be investigated and prosecuted. It is often said
about those who are acquitted justifiably of criminal offences before
the Crown court that the acquittal is vindication enough. One of the
problems is that in the sort of area that we are talking about,
particularly that which my hon. Friend the Member for Mole Valley is
discussing, the reputation of someone who is known to have had their
computers investigated by the police in relation to paedophile activity
is probably ruined for ever, even though they may ultimately be found
not guilty of any offence.
Perhaps the rather clumsy
expression I used in my opening remarks is better edited: although
equality of arms might be impossible to achieve, we must have an
understanding of the damage that can be done to innocent people,
particularly in such circumstances. Although I appreciate that the
power to award compensation is available to the tribunal and the
commissioner, there is a need for vindication and for someone to be
able to clear their reputation in the event that they are unwittingly
and unjustly caught up in this sort of
investigation.
Mr.
McNulty:
I entirely accept that point. I thought that the
hon. and learned Gentleman was suggesting that there was not sufficient
penalty on the side of those who capriciously, recklessly and so on
pursue such an investigation against an individualthrough the
tribunal system there is. Particularly, but not only, where it is
proved that pursuit of an individual has been reckless, capricious or
malicious, the points made about vindication and damage to that
individual are entirely fair and must be borne in mind.
The hon. and learned Member
for Harborough and the hon. Member for Cambridge made a lot of
comments, which I shall address in no particular order. I think that I
am right that the point about providing assurance, which is expressed
in that strange way in section 3.17 of the code, means that the single
point of contact is, effectively, the angel sitting on the side of the
designated person to assure them at every stage that what they are
doing is duly legal and compliant with the law. In that context, as
ever with legal language, assurance has that inference in
statutethe hon. Member for Cambridge will know that far better
than I. Furthermore, there will be an obligation on the single point of
contact to tell the individual, every now and then, that which they
might not want to hear. It is a sort of quality-assurance
guardian-angel
approach.
The hon.
Gentleman was not entirely right when he said that we would be better
served if the document contained all sorts of technical specifications,
because those will change. The orders provide for broad, overarching
codes of practice. Those involved on a regular basis with that body of
the work will know the most appropriate way in which to do that. In
that regard, the NTAC will offer advice and provide secure facilities,
but it might be a tad excessive not only to have the two documents
under discussion, but supplementary technical specifications about the
best way to do
things.
I meant to
say earlier that I would never contemplate telling the hon. and learned
Member for Harborough that if he cannot be bothered going to a library,
it is his look- out. That is not the sort of the language that I use,
or my approach to such matters. As for his broader point, I have dealt
with that already.
In
2006, some purposes were added by order to the list contained in the
2000 Act. Those
were:
(a) to assist
investigations into alleged miscarriages of
justice;
(b) for the purpose
of
(i)
assisting in identifying any person who has died otherwise than as a
result of crime or who is unable to identify himself because of a
physical or mental condition, other than one resulting from
crime
such as
one resulting from a natural disaster or
accident
or,
(ii)
obtaining information about the next of kin or other connected persons
of such a person or about the reason for his death or
condition.
Apart from
the language in which they are written, those are all perfectly
reasonable additions to the order. The explanatory memorandum
states:
Tony
McNulty, Minister of State for the Home Department, has made the
following
outlandish
statement regarding Human
Rights:
In my view
the provisions of The Regulation of Investigatory Powers (Investigation
of Protected Electronic Information: Code of Practice) Order 2007 are
compatible with the
Convention.
I
think that I might have saidrather rashlythe same
about the other order in the explanatory memorandum,
so we do believe that they comply. [Interruption.] No, I did not
just sign it; I did so with the full understanding of what I was
signing.
Mr.
Garnier:
We are hugely
reassured.
Mr.
McNulty:
Well, there we are. I have read the orders
carefully and signed accordingly. I am not so foolish as to sign
anything that is put under my
nose.
The point about
multi-use keys was interesting in the sense that the disclosure notice
should be specific about what encrypted data, or otherwise, is
requiredand that is all. As has been suggested, particular care
should be taken when a multi-use key is required to access protected
information or disclose it in an intelligible form. The notice must
explain explicitly what is required and that it is proportionate to
what is sought to be achieved. I take the point that as the order puts
in place the code of practice, and as the technology develops, the
industry and the authorities might need to look again at
that.
I thought that
that was a perfectly fair point, as was the point
about how a key can be retained in an
individuals memory. In reality, as I have said, the prosecutor
can never prove that the defendant has not forgotten. However, it is
incumbent on the prosecution to prove by physical
evidenceeither by recent usage tracked or in some other
fashionthat the individual has used the key recently. It is not
enough to say, Well, you might have forgotten, sonny, but we
are going to beat it out of you anyway. The burden is on the
prosecution to say, There is an encryption key to the data. You
have used it recently because we have evidence of such use or we have
evidence of data that shows clearly that you must have a key.
It is not put in the most perfect way in the code of practice but, with
the shift in the burden of proof suggested by the hon. Member for
Cambridge, it achieves what is ultimately
required.
Mr.
Garnier:
It often happens that prosecutions prove their
cases on the basis of reasonable inference. Obviously, the inference
has to be proved to the requisite standard of proof, but inferential
cases adduced by prosecutions are not unheard
of.
Mr.
McNulty:
Will the hon. and learned Gentleman repeat his response? I
missed the last
bit.
Mr.
Garnier:
It is not uncommon for the prosecution to prove a
case, when it does not have physical evidence, on the basis of an
inference or an inferential case. If a person has done certain things
in the past, the chances are that that person has done such things now.
A set of circumstances is built up, which inevitablyas the
prosecution would sayleads to the conclusion that the person
must have so
acted.
Mr.
McNulty:
I am sorry. I was not being impertinent. I accept
what the hon. and learned Gentleman says, but the matter needs to go
further
than that. There must be substantial physical evidence or a more recent
inference that there are grounds in the first place to suspect that the
individual has the key or the method of encryption to access the
data.
With the
greatest respect, many other points were more about the parent Act,
RIPA, than the specifics. It sounds complicated, but the matter is
straightforward. I take the point that all threethe single
point of contact, the designated person and the applicantshould
not be the same person. Paragraph 3.19 of the code covers the issue in
the sense that the single point of contact may be an individual who is
also a designated person. We have that combination. The single point of
contact may be an individual who is also an applicant, which is
perfectly reasonable. The same person should not be an applicant, a
designated person and a single point of contact. Equally, the applicant
and the designated person should not be the same person. I accept that
that reads a little like an IQ question, such as what combinations
remain and what combinations can there be, but having read the
provision a few times it covers the
matter.
It is
absolutely crucial that the individual should not be the single point
of contact, the designated person and the applicant, and that the same
person should never be both the applicant and the designated person.
There are combinations when the single point of contact comes into
play, but the fear of the hon. Member for Cambridge about a conflict of
interest or a common interest when there should not be one is covered
discernibly by part of the code, although perhaps he should read it
againor perhaps I should read it
again.
David
Howarth:
We should all read it again. The specific problem
concerns the applicant and the authorising official. If we can have the
Ministers assurance on that particular point, all the other
matters will be less
important.
Mr.
McNulty:
Paragraph 3.19 is absolutely clear. It states
that the same person should never be both the applicant and the
designatedthat is, authorisedperson. That is entirely
fair.
Any foreign
authority within the European Union will be bound by the same
directive. I shall write to the hon. Gentleman and members of the
Committee to clarify matters. It is stated that the starting point for
any public authority needing to disclose
communication data outside the European Union is to assess whether the
data will be adequate and protected, and what steps can be taken to
ensure that that is so. That is fine. It tells me that the hon.
Gentlemans point is therefore
covered.
However, I
am not sure about the incumbent duty on the public authority in the
United Kingdom to desist from providing such data if that data cannot
be adequately protected or the steps necessary to do so cannot be
assured.
David
Howarth:
My main point was how a public authority that has
some other function makes the judgment. Surely the Information
Commissioner is in a much better position to make judgments about the
situation in other countries than the public authorities that we are
discussing. Should not there be a duty on
the public authorities to consult the Information
Commissioner, not only a suggestion that they
mightas appears to be the case at
present?
Mr.
McNulty:
Without besmirching the reputation of the
Information Commissioner in any way, I am not sure that he would
necessarily have that information to hand, so I do not know whether
that duty would be appropriate. I will explore the matter, and get back
to the hon. Gentleman about the strength of the duty to get further
advice. It may be that NTAC or some other body can provide that. As he
suggests, the point about the incumbent duty on the public authority to
ensure that security and other elements are available for sharing with
non-EU people is fair, and I shall consider that.
Again, the point about e-mail
headers is perfectly fair. I am told that work is being done with
communications service providers to ensure that e-mail subject lines
are not disclosed under the RIPA provisions. Often, with short e-mails
the header line becomes the substance of the e-mailI certainly
do not bother going down a further line to read the body of the email.
Work is being done under the broader RIPA provisions for precisely the
reason that the hon. Gentleman suggests, which is that the e-mail
header line is not
secure.
Given the
substance of the regulatory framework that is imposed by the 2000 Act
and its interplay with both the guidance and the code of practice, I
think that on balance, with the penalties imposed as they are,
self-authorisation is appropriate for the reasons that are laid out in
the code of practice. That is a matter of judgment, but I think that
there would need to be an entirely new paraphernalia established in the
courts, or under the Information Commissioner or whatever, if every
single authorisation for involvement in such matters had to go before
an outside regulatory body. The important element is that the
regulatory framework, the code of practice, the guidance, and the
interplay with the Information Commissioner work well. Thus far, I have
no reason to suspect that they have not worked well or that they will
not continue to do so.
There is a fear, which the
House may need to deal with in three or five years time, about
the sheer volume involved as more and more of our daily business is
transacted in such a fashion, but that is a different point from the
main issue. I am toldby the magic of inspiration that
comes from my wonderful Parliamentary Private Secretarythat
inquiries that go beyond the EU will be routed through the Serious
Organised Crime Agency, which is our focal point, and through Interpol
and other agencies. Again, I say quite freely that there are issues
relating to the constituent member states of Interpol. Membership of
Interpol does not mean utter integrity, security and all the other
elements involved with
data.
Sir
Paul Beresford:
I would like to help the Minister a little
because Sir Ken Macdonald was asked about that very point yesterday. He
was also asked about the close relationship between his service and his
opposite numbers in a number of other countries. He said that such
relations depend on careful recognition of the countries and the nature
of those countries and
whether they may have officials, politicians, police and so on who are
corrupt. The information that they transfer is limited, in recognition
of those facts, so in effect that is happening without the
regulation.
Mr.
McNulty:
That is right and proper. Much more can be
deduced from those connections than from imposing a statutory duty on
the Information Commissioner. Action is being taken, but I am not sure
that I would agree that it needs to be taken in the way that the hon.
Gentleman suggested.
I apologise if my comments
have not covered every nook and cranny of the questions raised, which
were all perfectly fair inquiries or comments, but I have finished. I
commend the order to the House.
Question put and agreed
to.
Resolved,
That
the Committee has considered the draft Regulation of Investigatory
Powers (Acquisition and Disclosure of Communications Data: Code of
Practice) Order
2007.
DRAFT
REGULATION OF INVESTIGATORY POWERS (Investigation of Protected
Electronic Information: Code of Practice) Order
2007
Resolved,
That
the Committee has considered the draft Regulation of Investigatory
Powers (Investigation of Protected Electronic Information: Code of
Practice) Order 2007.[Mr.
McNulty.]
Committee
rose at twenty-six minutes to Six
oclock.