Mark Hughes gave evidence.

Good afternoon, Mr Hughes. Thank you for coming here before us today. For the record, I know Mr Hughes outside this place. I had no idea that I was going to be here this afternoon, but here I am and here you are. Would you like, for the benefit of my colleagues, to introduce yourself quickly? There will be lots of questions.

Just for the record, I also know Mr Hughes, though I cannot remember how—I am having a senior moment.

Mark Hughes: We will work it out afterwards. I am happy to get to know everyone else on the Committee. I am the CEO of BT security, and I have responsibility for all the matters that relate to the Investigatory Powers Bill in BT.

Excellent.

We have a definition in the Bill, as I am sure you know, of an internet connection record. What is recorded by BT or any other service provider if I book a train ticket on my mobile phone? What comes up on your record?

Mark Hughes : I would like to answer that question looking more at the Bill itself, and then come back to your question. There are clearly quite specific provisions in the Bill on what we are there to collect.

We have a definition—I would have copied it to you, but you probably have it there—in clause 54(6). You probably know it backwards.

Mark Hughes : Some examples of what we are talking about—I am sorry to be technical, but it is important that I refer to some technical matters—are the customer line reference number, which we perhaps know in common parlance as the account number, and the source and destination host IP addresses. The port to and from it provides content that we have to collect. There are also mass data sets. The Bill is quite clear about what we are there to collect.

On your specific question about a service where you are booking a train journey, we retain various components of the types of data that I just spoke about. It would be things such as source and destination IP addresses and the handset you used, which you mentioned specifically. The IMEI, for example, is another piece of data that associates you to that handset.

If I went to the Trainline website, for example, although it would not come up as Trainline, could you work out that I had been using that website to book my ticket?

Mark Hughes: No, not at the moment. That is not how it currently works. As I understand it, there are four purposes of internet connection records in the Bill, which are to link an IP address to a person or apparatus; to identify the comms service a person is using; to identify where a person is accessing illegal material; and finally, to identify the internet services a person is using, which is pertinent to your question.

What the Bill proposes we are to collect—some of which, by the way, is drawn from data sets that we collect for normal business purposes—may be used to constitute an internet connection record, which would then satisfy those purposes. It is not something we currently retain. The Bill is clear about the ingredients of an internet connection record and its purpose. At the moment, we are still working out with the Home Office exactly how we would compile those pieces of information to create internet connection records and find out which website someone was visiting.

I am sure all that is right, but I am still not sure that I have an answer. If I book a ticket now on the Trainline website, would it come up on your record that I had done it?

Mark Hughes: It is not something that we currently collect and retain.

Not currently, but when the Bill is law.

Mark Hughes: Yes, the Bill quite clearly states the purpose about identifying the internet service that the person is using—

So it would come up?

Mark Hughes: One of the purposes is that we would then be under notice to retain and create that record, which we do not currently do at the moment.

So if the Bill becomes law and I then book a ticket on the Trainline website, you would record it?

Mark Hughes: Under the Bill, once we had been through the consultation process and notice was given, that would be one of the purposes.

Sorry—I probably should have said that I am not that interested in the process at the moment. I understand the process and of course all the proper processes would have to be followed. I am just interested in what you would get before the process starts.

May I try a different question? If I go through the tube using electronic means of payment, would that—if the Bill becomes law and assuming that all the processes are followed—show up on my record?

Mark Hughes: That would not be information that we had access to. It is not our information; you would have to ask TfL that.

What about a feature that I have on my phone called Onefootball? Unbeknown to everybody else, my phone asks for the football scores all the time. What would show up on my record if the Bill became law and assuming that all the processes were followed and all the rest of it?

Mark Hughes: Again, it depends. There is some technical detail underneath here in respect of how that particular service provided by that service provider, Onefootball, polls out and how it would use the services that underlie that—that is, the services that we provide. That would obviously then be subject to the process that would then end up with an internet connection  record, if that were appropriate in that case. Or it might be that you would have to go to that service provider to gain information.

But if it were you, would it show that I had been asking for football results all afternoon?

Mark Hughes: If there was an internet connection record under the definition of the Bill, one of the purposes of which would be to identify which internet services you had been using, yes, we would then retain that and disclose it under the appropriate instrument.

And if I went to the website of The Guardian and clicked on “Brussels attack” and then clicked on “Another bomb”, what would be on your records—assuming that the Bill becomes law, that all the processes are complied with and that there is a proper purpose? I am making all those assumptions. I just want to know what would be on the record.

Mark Hughes: We have obviously been spending a lot of time in consultation with the Home Office. There are varying degrees of capability that the Home Office wants. There is a technical element to how far one goes in terms of the amount of data—there is a trade-off between the amount of data that you collect, retain and then disclose. As the Bill stands, that would also constitute an internet service that someone was using so that would be something on the Bill that we would retain.

Thank you.

At the Joint Committee, Mr Hughes, you said that BT had never collected internet connection records before, that you would have to deploy new equipment to comply with the legislation and that that would come at a cost. That is correct, is it not?

Mark Hughes: That is correct, yes.

I understand from your answers to Keir that you are still working with the Home Office to agree the precise specification of what an ICR is. Is that right?

Mark Hughes: That is right, yes.

Are we to understand, then, that you have not as yet reached agreement with the Home Office about the specification of an ICR?

Mark Hughes: No. It is a work in progress. This is quite a truncated time frame, as you know. I characterise a lot of things that we are doing at the moment as “in parallel” as opposed to “in series”.

Where we are at the moment is that there has been extensive consultation with the Home Office around this. There are a number of different technical approaches to how you take those component parts that then constitute themselves as an internet connection record—for example, things like the rate of sampling that you use inside the networks. Of course, it depends on the type of service that we are talking about; there are technical differences between how those services and that information are then put together to create the internet connection record. That has a big difference in terms of the associated cost.

That is what I want to come on to. The Home Office has mentioned a figure of £170 million. Can you give us any indication of how much of that money British Telecom would need to build a system?

Mark Hughes: There is a spectrum. If the Home Office wanted us to collect everything and carry out a very high rate of sampling, meaning that a lot of information would potentially be available, BT—and EE; we recently bought EE, as you may know—would take the lion’s share of that figure alone, just in terms of our services.

However, we are in very frequent dialogue. Only in the last couple of days, we have been talking to the Home Office about the technical challenges associated with the trade-off between how much it will cost and how much data will be available. Clearly, if there is a different view in terms of the amount of data required, the cost may well be appropriate for the rest of the industry. It is difficult for me to comment on other operators.

We have covered potential costs of building the system. Can you give us a timescale?

Mark Hughes: Again, that is down to the detailed, technical implementation and testing to ensure that it would work properly. Some of the data sets that make up the ingredients of an internet connection record are something that we do retain for business purposes already—not necessarily for the length of time they are talking about—so depending again on the final technical solution we came at, and at what services it is targeted, it could take a few months and up to a year-plus to get a solution in place.

When you say a year-plus, how much on top of a year?

Mark Hughes: Again, depending on exactly what it is that we agree on with the Home Office that it wants, I think it is reasonable to suggest that we would have a service in place in a year.

Are you aware of what has happened in Denmark regarding the collection of internet connection records?

Mark Hughes: I am, yes.

On 17 March, the Danish Minister of Justice informed the Danish Parliament that the plans for a new internet connection records scheme had been put on hold. The reason given for the policy change was the substantial cost of ICR collection—the economic burden would be too high for the Danish telecoms industry. Were you aware of that?

Mark Hughes: I am aware of that. Under the proposals in the Bill—the Home Secretary has made reference to it—we would recover our costs from the Home Office, as we have done under existing legislation. We would like to see clearly articulated on the face of the Bill that 100% of our costs are to be recovered. That is very different from the Denmark situation. In Denmark, that is not the case; the burden is placed on the telecoms operators.

It is difficult for me to comment precisely on the Danish telecom operators because I am not one of them, but specifically here, as far as the UK is concerned,  the proposed regime is more sensible as long as it is clear that we will recover 100% of our costs. We think it is important that that is on the face of the Bill—not just for the reason we said about Denmark, but also because more broadly in itself it provides a proportionality check, so you would not spend a huge amount of money to achieve little effect. If it is clear how much the public purse will have to bear of that, we think that in itself creates a proportionality check in terms of what activity is proposed.

Do you agree that we cannot compare what is proposed in the Bill with what was proposed in Denmark until you have got an agreed specification with the Home Office?

Mark Hughes: A pamphlet has been issued and we have been in discussion with the Home Office as recently as the last couple of days about this. More clarity is required, but broadly speaking there is a definition in the Bill, there are purposes in the Bill and we understand that there are options technically around it. We have been working that through with them, but yes we would like clarity as soon as we can.

Thank you, Mr Hughes, for coming, and thank you also for acknowledging the extent of the consultation with which you have been engaged with the Home Office. As a result of that, you will know that the codes of practice published at the time of the Bill reflect some of the arguments you have advanced previously and clarify some requirements.

Today you emphasised that as we move forward there will be ongoing discussion. How important do you therefore think it is to avoid rigidity by putting more on the face of the Bill rather than including that in codes of practice and in the ongoing discussions you described?

Mark Hughes: It is very important that we have words and definitions on the face of the Bill to deal with the really substantive points as far as this type of legislation is concerned—namely the level of intrusiveness, which is clearly where definitions help. A definition is only really a way of helping to establish the level of intrusiveness of the power that is being put in place.

There are needs to have something. One need, which I have said, is about ensuring that there is clarity around 100% cost recovery, for example. There is definitely a need for that and with 268 pages there is quite a lot in there. However, we also recognise that as technology changes—our world is an ever-changing one as we know, and that is the case specifically in our industry—there is need for flexibility of a discussion point around how consultation happens and how that manifests itself in a legal instrument for us to retain and disclose either content or other types of communication data.

It is a difficult balance to be had. I think there is a lot at the moment in the Bill that is very useful. There are purpose limitations, for example, which are very useful for us, as are, as I said already, the definitions.

The other point is that there does need to be flexibility in future about understanding how the new codes of practice will be formulated based on what was required, and the Bill is clear that the correct oversight is in place. That is a difference from the extant legislation. The consultation process is different from others there have been in the past, and we welcome that.

Presumably you also welcome the right to review a technical capability notice and the commitment that there will be further discussion with you before you are obliged to meet obligations.

Mark Hughes: Yes, indeed, and not only that, but there is now on the face of the Bill a right of appeal to the Home Secretary if a notice is issued to us and we disagree with it. That has not existed in the past. In the past, under other legislation, we have had occasion to make representation, but it is much clearer in this Bill than it has been in the past.

Under the terms of the Bill, you are being asked to collect a large amount of data, some of which will be quite personal and some private. How confident are you of BT’s capability in terms of maintaining the security of those data from hacking or theft, particularly bearing in mind the fact that other communications service providers have been hacked into? When you consider the rest of the industry more broadly—without naming names—do you think BT is in a stronger position than other CSPs to maintain security against hacking or theft where there might be vulnerabilities elsewhere?

Mark Hughes: The security of any data we hold and retain is clearly a matter that we take extremely seriously. That is of the utmost seriousness for our organisation for any type of data. The type of data that the Bill refers to specifically is, though, perhaps different from other types of data that need to be interfacing the public on a bigger scale, for example. This is not that type of data; it is going to be restricted and allowed to be viewed by only very few individuals who have the correct authority to be able to get to the data when they need to.

The level of security applied to this type of data is clearly factored into the type of data that is being retained, so we have to put very significant security measures around it to ensure that the access is controlled properly and that the data are very secure when stored. That absolutely has to be factored into the cost and the way we operate. It is not something new. We are currently subject to laws and regulations under which we have to make sensitive data available, so we are used to doing it, but that clearly has to be factor in for, for example, some of the new datasets we are potentially going to be asked to retain under the Bill.

On the Joint Committee on the draft Bill and on the Science and Technology Committee, we heard CSPs talking about the level of engagement they have had from the Home Office, and we have heard from the Home Office that that has increased recently. That seems to tally with what you are saying. Could you give us a sense of the scale and extent of that engagement, and some reassurance that, in this fast-moving world, you are confident that the relationship is such that that engagement would be there in future as well, rather than it just being about getting the Bill to this stage?

Mark Hughes: We have had extensive periods of consultation and meetings on a very frequent basis. The Home Secretary has invited many of us representatives of the CSP community to meetings with her on two occasions before this, as well as to many working-level meetings with various Home Office officials. We discussed  the technical, legal and procedural points about the proposed legislation as well, which is markedly different from how things have been before.

On the point about the future, which is important here, the Bill itself clearly specifies and puts in place a regime whereby consultation is enshrined in the legislation through the consultation process that has to happen before a notice is issued and, indeed, because the reconstituted technical advisory board can be called to come together at any time. That power did not exist in the past. The consultation is in a better place and I think that the Bill itself will help to ensure that that continues in future, because it will be a point of law.

Is everything in the Bill technically deliverable?

Mark Hughes: There is nothing that we have yet come across that we think is technically not deliverable. However, I will caveat that by saying that we provide many different services. There are different service providers that do different types of things and operate their communications networks differently from us. I can only really comment on BT and our networks, both mobile and fixed, but from where we are coming from it is—

So through technology that is already in existence and already within your grasp as a company, everything in the Bill is within the bounds of deliverability.

Mark Hughes: What I would say is that, as I said at the beginning, the things in the Bill that we need to retain are what bits we can do technically. We have not yet gone through in detail how we constitute some of that information, because we have not yet done it. I cannot comment on something that we have not done yet, but on the face of it, it does not look unfeasible.

To follow up briefly on Mr Matheson’s question about security, I hear your answer, which is quite broad. I will rephrase the question in this way: would existing BT customers expect a different level of security protection for their data once the Bill is enabled and passed, compared with what they expect and what is at their disposal today?

Mark Hughes: Again, different types of data, depending on the concentration, volume and type of data, require different levels of security. We always assess the risk of that data becoming exposed in a way that it should not, and we assess the security against that clearly.

Are you saying that because the quantity and volume of data being stored will increase and you are storing it for longer, those are two contributing factors that could potentially lead to the weakening of security?

Mark Hughes: No. On the contrary, because that is the case, we will assess it and have to put additional security controls around those data. Again, some of those data sets do not currently exist. In assessing how we would build the storage for those data sets, we would obviously factor in security, and some of the factors would include the volume and type of data, which would lead to the solution that we put in place. That is part of some of the cost estimates that have been worked through in the pamphlet produced by the Home Office.

This is a quick follow-up to a question Mr Starmer asked earlier about ICRs as they relate specifically to mobile devices. The example that he gave involved a football app, but let us use Facebook as an example, as it may be of use in investigations. Facebook and apps like it have lots of background processes that generate thousands of ICRs. Is there any way of ascertaining whether an ICR is created manually or automatically by the app?

Mark Hughes: I think there is a principle here. Again, it is enshrined in the Bill to a certain extent, but I make the point now. The organisation that holds the data closest to source is the one that should be subject to the powers. That is the one that should be retaining and having to disclose data under the Bill as it stands. For example, you mentioned Facebook. If Facebook has those data, they are the ones you would have to ask about how they would go about retaining and disclosing it.

I understand that, but would it be technically possible to understand whether somebody has pressed a button to create that record or whether the app has done it?

Mark Hughes: I would have to look specifically at the details around it. If it generated an internet connection record that was a website visit, for example, that might be something that we retained, but it would be very difficult for me to comment specifically on that without knowing the exact details. It depends on the engineering of the services and networks, but in principle, if Facebook had that data, then they are the ones that should be subject to the law. We are considering whether to propose an amendment to the Home Office on the third party data question, which is the case in point here, and how that should be approached. We think that the principle is that other providers who have that data are the ones who should be subject to it, and that it should be explicit in the Bill.

So at the moment the Bill is not clear enough on that aspect?

Mark Hughes: It could be clearer, and we are thinking about proposing an amendment specifically to over-the-top providers, making it clear that they are responsible for that.

Can I come back to the question of what constitutes an internet connection record? It is the record that you may be responsible for keeping and passing over, so it is important that you have clarity. I take it from your previous answers that you have said some of it will be data that you are already collecting for your own purposes, and some of it will be other data that you are not currently retaining but will retain as a result of the Act. What are the data you are currently retaining? What is the bit that you keep already?

Mark Hughes: I gave an account number as an example. We obviously know our customers’ account numbers, so that is something that we currently have, and we have other types of information, as I went through, which are potentially subject to other pieces of legislation on retaining data. The point about the internet connection record is that it is rather like a series of ingredients, which you have to put together to create the record.

I have got that. The account number is fine. That does not tell you very much; it is just the account number. When someone does something using the account, what else do you keep at the moment?

Mark Hughes: There are other records associated with other types of services that we have.

I am sorry; I am struggling with this. Can you give me an example?

Mark Hughes: A source-destination IP port, for example. That is something that has to be available to allow traffic to route around the internet. That is the type of data that we have.

The IP port?

Mark Hughes: The extent to which we collect and retain that at the moment is clearly going to depend on our being clearer about what an internet connection record is through the work of the consultation. That will drive how long we have to hold the source-destination IP.

What data that you do not currently retain or keep will you have to add as an ingredient?

Mark Hughes: As far as I am aware, nothing. At the moment, we have—

Nothing?

Mark Hughes: Well, we have information at the moment that we might not retain for a period of time, but which would be commensurate with what the internet connection record is going to be. It is less about the type of data and more about the length of time that we have to retain it. That is the thing that we need to work out through the consultation process. Does that make sense?

Just to clarify, I heard you say earlier that some of the data you keep and some you would have to constitute. Now, you are saying that it is all data you have got; it is just about how long you keep it for.

Mark Hughes: No. Sorry if I have not been clear on that. The ingredients are there in some shape or form. Some stuff we mainly retain for a very brief period. There are elements of the data that we would have to look at very differently if the Bill became law, in terms of the length of time, how we retain them and how we use them to produce the internet connection record. That would be different.

If I were your customer and this Bill were law and I accessed The Guardian through you, would you think that one of the ingredients is the page within the home page that I went to? Is that an ingredient that you anticipate that you will have to keep?

Mark Hughes: Sorry, I did not hear the question.

If I go on the Guardian website, I can start clicking between different parts of the website for different bits of information. You can go on a hyperlink to different pages. Do you anticipate keeping any of that data in the future if I were your customer?

Mark Hughes: As drafted, the Bill talks about identifying the internet service that a person is using. The extent to which that capability will be required on the face of it is subject, as I mentioned earlier, to some of the technical considerations. For example, for what you are describing, if every single thing you were to click on on that particular website needed to be retained, that would require a lot of information, which we would have to generate from our network. Technically speaking, it would require a lot of sampling of traffic to achieve that.

That is a technical issue, but legally do you think it is within the definition you are working to?

Mark Hughes: Absolutely. I think it is within the definition as it is written in the draft Bill at the moment.

Following on from Keir’s questions, there is a concern about the hackability of the volume of data that we have already got. Have we just heard that you already collect this data, albeit not necessarily in the same form or for the same length of time? Is it all still there for someone who wants to access it immediately?

Mark Hughes: No. Not all of the data is collected. We retain lots of data for business purposes, which we therefore retain and secure proportionately and appropriately for that type of information. As I said, there are things in the Bill that are about us having to generate additional records, based on some of the existing information that we have and other types of information that may be necessary in the future.

But based on the existing information that you have, it is already there.

Mark Hughes: Some of it is already there. Some of it might not be there in the way in which the Bill describes. Some of it is subject to what the actual code of practice determines we have to collect and for how long we have to collect it. Some of those things are unknown at the moment. Suffice it to say, we have lots of information, some of which could constitute or make up an internet connection record as it stands at the moment. We secure that data, and it is accessible if required for business purposes at the moment.

Thank you very much, Mr Hughes. I am sorry we do not have more time.

Mark Hughes: I am happy to submit written evidence post the sitting.

Excellent. Colleagues may follow up your evidence with written requests as well.