Previous Section Back to Table of Contents Lords Hansard Home Page

4 pm

Baroness Harris of Richmond moved Amendment No. 146:

The noble Baroness said: These amendmentsto page 107 would remove references to police authorities being subject to joint inspection with the Audit Commission so that they would be subject to inspection only by the new CJS Inspectorate. I argued the other day that the Audit Commission does not have the necessary skills or experience to inspect police authorities; it is the auditor of police authorities, and rightly expert in that role, which it does very well. We regard this, though, as a distinctly separate function and an essential safeguard on financial probity; we would not want these separate functions blurred.

As we have said, we do not believe that Her Majesty’s Inspectorate of Constabulary or the elements which will transfer to the new CJS Inspectorate have all the requisite expert knowledge to conduct police authority inspections either, as we have just been discussing, but they have a great deal more experience in this area than the Audit Commission. They have engaged in joint work with the APA and police authorities to develop and improve inspection frameworks, which have been extremely helpful. We agree that the audit activities of the Audit Commission could and should be better joined up with inspection activities to reduce duplication, but we do not think that joint inspection will necessarily achieve this. It could have the opposite effect if different sets of inspectors have different ideas about what should be inspected and how. That quite often happens.

Once again, the Audit Commission should have no locus whatever in the inspection of police authorities. It is not competent to do this work. I beg to move.

11 July 2006 : Column 602

Lord Bassam of Brighton: The amendment would remove the requirement for the Audit Commission and the Auditor General for Wales to work jointly with the new inspectorate to inspect police authorities.

The involvement of the Audit Commission in this area is nothing new; it has a long history of playing a valuable role in the inspection of police authorities. The Audit Commission can be rightly proud of its record in the inspection of the quality and cost-effectiveness of a wide range of local services, including local government and criminal justice bodies. We take the view that it is right that it should continue to be involved once the new inspectorate is established. Furthermore, as we discussed during our debate on the amendments to the best value regime in respect of police authorities in Part 1 of the Bill, the Audit Commission will still retain the duty toensure that police authorities secure continuous improvement under the best value regime.

The joint action provisions in the Bill are designed to ensure that the various bodies are inspected in a joined-up way where more than one body has a role to play in inspecting them. The new inspectorate’s remit will overlap with that of the Audit Commission. Given the importance of the role and the duties of the commission, it is important that the two bodies act as one to ensure efficiency and that inspected bodies are not burdened with repeated inspections by one organisation and then another. On that basis, it is sensible to leave this duty in the Bill to ensure consistency in joint inspections.

In the light of my assurances, I hope that the noble Baroness will feel able to withdraw the amendment.

Baroness Harris of Richmond: I thank the Minister for his response but not for what was going on behind it. In no way has he taken account of what I said the other day about where the Audit Commission should sit in the inspection of police authorities. I should point out that I have written to the Minister.

Lord Bassam of Brighton: Perhaps I may confirm to the noble Baroness that I have received the correspondence and just this day I have invited our officials to give it further consideration.

Baroness Harris of Richmond: I am most grateful to the noble Lord. I hope that he and his officials will understand more clearly what I am getting at, because it did not seem to make much sense earlier on.

As the noble Lord said, the Audit Commission plays a very valuable role in the inspection of police authorities on the financial side. It has no other remit in police authority inspection. I hope that when the officials eventually look at this more closely, they will agree that the Audit Commission should not be inspecting police authorities. The commission does an excellent job on the financial side, and we are very happy for it to continue doing that. But the inspection of the work of police authorities is not for the Audit Commission; it is charged with seeing continuous improvement. As I said last week, that has not taken place anywhere, in any of the Audit Commission’s

11 July 2006 : Column 603

work. There must be continuous improvement. Taking away from police authorities the tools that ensure continuous improvement means that we are not going anywhere.

I ask the noble Lord and his officials to look at what I have said. Best value is far too important to leave out of the Bill. I will gracefully retire from this amendment but I will definitely come back to it on Report.

Earl Ferrers: The Minister said that the Audit Commission would look at this in a joined-up way. What did he mean by that?

Lord Bassam of Brighton: With his long experience as a Home Office Minister, I am sure that the noble Earl, Lord Ferrers, understands entirely what working in a joined-up way means. I take it to mean that the Audit Commission will work very closely with the inspectorate to ensure that the police authority is performing its duties as it should.

Baroness Harris of Richmond: I beg leave to withdraw the amendment.

Amendment, by leave, withdrawn.

[Amendment No. 147 not moved.]

Schedule 9 agreed to.

Clause 34 [Abolition of existing inspectorates]:

[Amendment No. 148 not moved.]

Clause 34 agreed to.

Clause 35 agreed to.

Schedule 10 [Transfer of staff and property etc to the Chief Inspector]:

[Amendment No. 149 not moved.]

Schedule 10 agreed to.

Clause 36 agreed to.

Schedule 11 [The Chief Inspector: consequential amendments]:

[Amendments Nos. 150 to 171 not moved.]

Schedule 11 agreed to.

Clause 37 [Interpretation]:

Lord Bassam of Brighton moved AmendmentNo. 171A:

““the Audit Commission” means the Audit Commission for Local Authorities and the National Health Service in England and Wales;”

The noble Lord said: This is a purely technical amendment to clarify the references to “the Audit Commission” in Clause 29(6)(e) and paragraph 10(2)(e) of Schedule 9 by inserting in Clause 37(1) a definition referring to its full name, the Audit Commission for Local Authorities and the National Health Service in England and Wales. I beg to move.

On Question, amendment agreed to.

Clause 37, as amended, agreed to.

Clause 38 agreed to.

11 July 2006 : Column 604

Clause 39 [Increased penalty etc for offence of unauthorised access to computer material]:

Lord Bassam of Brighton moved AmendmentNo. 171B:

(a) in paragraph (a), after “any computer” there is inserted “, or to enable any such access to be secured”; (b) in paragraph (b), after “secure” there is inserted “, or to enable to be secured,”.

The noble Lord said: Before I get into the body of my comments, I should like to say that I welcome that the noble Earl, Lord Northesk, has tabled Amendments Nos. 172, 174 and 176 to reflect the fact that further changes need to be made to the Computer Misuse Act 1990, to ensure that all forms of computer hacking are outlawed. We have been informally consulting on making changes almost identical to the ones that he has identified. He may tell me otherwise, but I understand that his Amendments Nos. 172 and 174 contain slight drafting errors. We have therefore decided to table separate versions of his amendments, Amendments Nos. 171B and 173A.

Section 1 of the 1990 Act makes it an offenceto access a computer without authority. The amendments would extend this to include enabling access to be gained without authority. We share the noble Earl’s belief that the proposed amendments are important because there is a ready criminal market in software tools to gain unauthorised access to others’ computers. The intent is therefore to ensure thatan offence would be committed where the person’s intention is merely to enable someone else to secure unauthorised access—or, for that matter, to enable the person himself to secure unauthorised access at some later time.

The proposed amendments to Section 3 of the Act would clarify that a person can commit a Section 3 offence by being reckless as to whether, for example, a computer will be impaired, although impairment was not his intent. The amendments will also make it an offence for a person to commit an unauthorised act in relation to a computer with the intent of enabling a person to commit a Section 3 offence.

We must make it absolutely clear that it will not be a defence to suggest that the intention was not to impair the operation of a computer. It is enough that the act was unauthorised and that, by committing such an act, there was recklessness as to whether the act could have caused impairment to the operation of a computer. We must also ensure that it is understood that enabling a person to commit a Section 3 offence is an offence in its own right.

Government Amendments Nos. 178A, 178B and 178C make transitional provisions to ensure that the proposed changes to the Computer Misuse Act do not impact on offences committed before this Bill comes into force. We have also made amendments to

11 July 2006 : Column 605

Schedule 15 with Amendments Nos. 193A, 193B and 193C, which are consequential to amendments made to Clause 39. I look forward to hearing what the noble Earl has to say about his amendments. I trust that he will feel able to withdraw them and that he will be content to support those that stand in the name of the Government. I beg to move.

The Earl of Northesk: With the leave of the Committee and at the invitation of the noble Lord, Lord Bassam, I shall speak to my amendments in this group. At the outset, I should offer my guarded congratulations and thanks to the Government on bringing forward these changes to the CMA. As the Minister is only too aware, I and others, not least the Internet All-Party Group, have been calling for some time for the legislation to be updated to make it clear that DoS attacks—denial of service attacks—are unlawful. As they stand, Clauses 39 and 40 go some way towards achieving that in a rather more coherent way than my somewhat ham-fisted Private Member's Bill of four years ago. Nevertheless, as the Minister has explained, gaps remain in the provision. In particular, the current drafting does not deal with the problems caused by botnets, zombie infections and the like.

I need not dwell too much on the nature of the problem because the Minister has explained that well enough, but it might be helpful to put this into some sort of context. For example, in 2005 the Federal Trade Commission estimated that something of the order of 150,000 computers were hijacked daily as a means of launching a criminally motivated DoS, spamming and fishing attacks. In a similar vein, Gartner, the analysts firm, estimated recently that up to 70 per cent of all spam is generated by zombie machines. In monetary terms, it is estimated that these categories of DoS attack cost internet service providers $500 million every year in excess trafficand customer churn alone. Clearly, therefore, they constitute a serious threat for which adequate provision should be made in law.

4.15 pm

Having tabled my amendments ahead of the Government’s, I can only express my gratitude that the Government have seen fit to endorse my proposition. I am indifferent as to which version finds favour with the Committee; if mine are defective, I am quite content to accept that. Be that as it may, I confess to a certain amount of embarrassment. Although drafted to deal with a specific and palpable problem, I had intended them merely to be probing in character, because I have residual and serious concerns about how effective the provisions will be in practice.

Access to IT systems can be denied for awhole host of reasons. Notwithstanding the scale of maliciously motivated attacks to which I have already referred, the bulk of such denials are attributable to wholly natural or, dare I say it, innocent causes. At the most basic level, connections to the internet can be rendered unreliable or inoperable by pure weight of traffic, as occurred with the 1901 census site when it

11 July 2006 : Column 606

went online. By analogy, congestion on our roadsis a considerable irritant, but it is not—so far asI am aware—criminal. By the same token, pooror inadequate server or website architecture is commonplace and gives rise to serious access problems. To state the obvious, internet and website performance is dependent on appropriate and adequate levels of quality of service, the apparent absence of which seems to be a persistent feature of government IT projects.

In passing, I cannot resist mentioning today’s media reports of significant problems with the Passport Office’s online systems. Some might even be tempted to argue that this is a particular feature of the PDVN, on which we all rely. Moreover, it is inevitable that these systemic weaknesses are exploited, deliberately or not, by the perpetrators of DoS attacks. The difficulty is that the Bill makes no distinction between those occasions when IT systems slow down and crash as a result of criminal or malicious interference and when they fail for entirely natural reasons. Indeed, that is compounded by the fact that proper analysis of any particular system crash is a profoundly technical matter, more often than not beyond the technical expertise of law enforcement and the judicial process.

An even greyer area is the status of cyber protest, or online lobbying, numerous examples of which exist, such as the pro-Zapatista group, Electronic Disturbance Theatre, or the French group, Federation of Random Action. At its most fundamental, the internet is a means of communication—a hugely powerful one, but a means of communication none the less. As such, it has enormous potential to empower, enrich and liberate the individualcitizen. To that extent, it is crucially important that internet law be drafted, so far as is possible, not to constrain freedom of expression and of association unnecessarily or disproportionately. By its very nature, cyber protest, although of course not criminally motivated, will often mimic the effects of a DoS attack. Occurrences of it will therefore be potentially prosecutable under the Bill, particularly if one considers the full implications of Clause 40(5)(b).

By way of another example, blogging, particularly in the political sphere, is becoming increasingly popular. We should welcome that, especially in terms of public engagement with politics. But if a particularly successful blog generated so much traffic that it crashed the server on which it was hosted—an equivalent of a DoS attack—would its author and those accessing the site have committed an offence under these provisions? As I interpret it, the drafting is unclear on the point. If the answer is yes, that cannot be right. Nor do I believe, given the technical complexities involved in this whole area and the breadth of the existing provision, that it is appropriate to fall back on the interpretation of the courts. As legislators, we should be capable of stating our intent with much greater clarity than this.

I have a number of other, wider concerns which, conscious of time, I will merely list. First, there are huge problems associated with definitions of “legitimate authorisation” in so far as they relate to

11 July 2006 : Column 607

the online world. Secondly, there are palpable concerns about how enforceable the provisions will be. After all, prosecutions under the CMA are rarer than those for murder. Thirdly, huge question marks hang over the capacity of law enforcement and the judicial process to attend to the issue in terms of both resources and training. It is worth noting that there is no mention of the word “computer” in SOCA’s recently published annual plan, notwithstanding that the NHTCU has been subsumed into it. The Bill does not attend to any of those matters.

I apologise to the Committee for having spoken at such length. As I say, I welcome the Government’s attempt to bring DoS attacks within the scope of the CMA. It is a small step in the right direction. That said, I am unconvinced that the insertion of these odd few confused clauses at the tail end of a portmanteau Bill demonstrates either adequate understanding of the complexities of the issues or firm resolve to attend to the whole corpus of internet crime. Rather, they are a desultory attempt to use no more than a sticking plaster to mend a broken leg. What is needed above all else is a wholesale rewrite of the CMA, not only to take account of how far technology has moved on since it was enacted, but also to weave in the intricacies of associated civil liberty issues. To be blunt, I fear that ultimately these clauses will create more problems than they solve.

The Earl of Erroll: I have had a certain amount of e-mails and discussions about these clauses. In general I think they are a good idea, so they should go through. There is very little difference between the Government’s amendments and those of the noble Earl, Lord Northesk. The only thing I would add is that it has always worried me how you define the difference between a denial-of-service attack where it comes from one point or a set of netbots, and someone demanding that everyone lobby their MP on a particular issue so that suddenly 100,000 e-mails are sent from different single points to one central server. Actually, maybe the latter case should be made illegal, although I cannot think how it could. I apologise for hesitating; I had not thought this out very hard. There are problems around it that probably need to be addressed, as the noble Earl was saying. With the general proviso that we need to think further about the issue, I welcome these amendments.

Lord Bassam of Brighton: I have heard what both noble Earls have had to say on this subject. The noble Earl, Lord Northesk, is well regarded in your Lordships’ House for his knowledge and interest in, and dedicated consideration of, these issues. I have great respect for him for the work he does.

I shall respond to a couple of points that the noble Earl raised. Just to clarify this point: the Bill distinguishes systems interference due to criminal action from that due to accidental action by whether the access modification is unauthorised and whether or not the person has the necessary mens rea. It will ultimately be for the courts to decide on the facts whether an individual protest crosses over into unauthorised and hence criminal activity.

11 July 2006 : Column 608

Next Section Back to Table of Contents Lords Hansard Home Page