Power to issue warrants to intelligence services: the Secretary of State

Investigatory Powers Bill – in a Public Bill Committee am 11:30 am ar 21 Ebrill 2016.

Danfonwch hysbysiad imi am ddadleuon fel hyn

Photo of Joanna Cherry Joanna Cherry Shadow SNP Westminster Group Leader (Justice and Home Affairs) 11:30, 21 Ebrill 2016

I beg to move amendment 405, in clause 91, page 70, line 8, after “crime”, insert

“where there is reasonable suspicion that a serious criminal offence has been or is likely to be committed”.

With this it will be convenient to discuss the following:

Amendment 406, in clause 91, page 70, line 9, leave out paragraph (c).

Amendment 436, in clause 96, page 74, line 16, leave out subsections (12) and (13).

Amendment 464, in clause 91, page 70, line 25, at end insert—

‘(10) A warrant may only authorise targeted equipment interference or targeted examination as far as the conduct authorised relates—

(a) to the offence as specified under subsection (5)(b), or

(b) to some other indictable offence which is connected with or similar to the offence as specified under subsection (5)(b)”.

Photo of Joanna Cherry Joanna Cherry Shadow SNP Westminster Group Leader (Justice and Home Affairs)

The amendments, which were tabled by the Scottish National party and the Labour party, are part of the broad objective of altering clause 91 so that authorisation of warrants is carried out by judicial commissioners rather than the Secretary of State. There has already been quite lengthy argument about the general principle so I will not go into that in great detail. The amendments also deal with the grounds and circumstances in which warrants may be issued and attempt to tighten the safeguards in the clause.

Amendment 405 would amend the grounds on which warrants may be issued, adding at the end of subsection (5)(b) a reference to reasonable suspicion of serious crime taking place. That pertains to an argument I made in relation to part 2 of the Bill, which is that the grounds for issuance of a warrant should require reasonable suspicion. It will also be recalled that I argued that the economic wellbeing grounds should be removed from the Bill in relation to part 2, and I renew that argument in relation to this clause for the same reasons. There seems to be some tautology. As either the Joint Committee on the draft Bill or the Intelligence and Security Committee commented, it is difficult to see how

“the interests of the economic well-being of the United Kingdom so far as those interests are also relevant to the interests of national security” can really mean anything above and beyond the interests of national security. Amendment 406 would therefore remove subsection (5)(c).

Amendment 463 would remove subsection (6), while amendment 465 would include a requirement of proportionality and a technical assessment in the consideration that is given to the issuance of a warrant. Amendment 465 would require that less intrusive methods have been used or considered and a technical assessment of proportionality accounting for the risks of the conduct proposed. Those requirements would apply when applications from the intelligence service, the Chief of Defence Intelligence and law enforcement are considered. In order to consider whether a warrant is necessary and proportionate, not only the intrusion but the methods will need to be assessed. The amendment would require the judicial commissioner, supported by independent technical expertise, to assess the proportionality of the conduct proposed in targeted equipment interference applications.

There is good reason behind the amendment. Again, I hark back to some of the more general concerns that were expressed by myself and the hon. and learned Member for Holborn and St Pancras. When malware is deployed there is often a risk of contagion, at home as well as overseas. We have had a recent and dramatic demonstration of that: the Stuxnet virus was believed to be an American-Israeli cyber-weapon intended to hack a single Iranian uranium enrichment facility. What happened instead was that it infected Chevron, the energy giant, and many other companies, as well as Microsoft PCs around the world.

That is a good illustration of how hacks intended for what we might call “good purposes”—to protect the public—can have unintended consequences. I believe that the phrase used by those in the know is the risk of hacks spreading into the wild. Technical experts have explained to me that the risk of hacks spreading into the wild cannot be overstated. In fact, a professor of security engineering at Cambridge University, Ross Anderson, wrote to the Science and Technology Committee about this very issue, saying—he did not mince his words— that

“It is only a matter of time before interference with a safety-critical system kills someone”.

The amendment would address these serious issues by making sure that we do not take the potentially dangerous and counterproductive step of hacking where other less intrusive and safer methods have been used, and that a technical assessment of proportionality accounting for the risks of the hack being proposed is carried out in advance.

The practice of equipment interference leads to the stockpiling of software vulnerabilities, which in turn puts millions of users of software at risk, and those millions of users of software are our constituents, the citizens of the United Kingdom, people who use these sorts of devices day in and day out for all sorts of aspects of their personal and professional lives. These hacks, if not used only where strictly necessary, and if there is not a proper technical assessment in advance, risk opening up the equipment of ordinary members of the public to criminals and fraudsters rather than just the intelligence agencies. Underlying the amendment is the idea that it is vital that when deciding whether to grant a warrant, the judicial commissioner should understand and account for the proportionality of the proposed interference methods before authorising them.

There is also the risk that hacks can malfunction, with severe consequences for critical infrastructures and even international relations. Whatever one thinks of Edward Snowden’s revelations and the propriety of them, the fact is that he put a lot of material into the public domain and we would be remiss if we did not consider that. He has revealed that malfunctions of hacking by the National Security Agency in America were responsible for the outage of the entire internet in Syria in 2012, which may have caused simultaneous flight-tracking issues and led Government and opposition forces erroneously to blame each other for the incident. That sort of thing could be a danger to our forces.

I went to a fascinating briefing yesterday morning about photonics. Before I went into the briefing, I did not really know what photonics was, because I am not a scientist by background, but I went along because there is a lot of research into photonics development going on in Scotland, particularly at Heriot-Watt University, which is in my constituency. One of the fascinating things that I learned at this briefing on photonics from a speaker from BAE Systems was how photonics—in layperson’s terms, laser technology—can now “zap” on to the visor of fighter pilots the information they need vis-à-vis radar and the like, so that they do not have to look down at a screen when they are looking for a target. If hacking goes wrong, those sophisticated technologies, which are needed for the defence of this country, may themselves go wrong and that may lead to the deaths of innocent civilians, which we all, regardless of which side we took in the vote last December, want to avoid in any bombing in Syria.

There is a high degree of public interest in the proportionality of hacking methods, and the security of data and the safety of citizens both at home and abroad are very real issues. The debate surrounding the Apple against the FBI case in America centred on whether the methods required to hack one particular device were proportionate, given the security consequences for all owners of iPhones. In the United States, the decision in that case was rightly entrusted to an independent judge.

Amendment 465 is crucial because of the potential damage to computer security and the corresponding vulnerability to criminal elements that results from hacking, as well as the potential dangers for our forces fighting abroad and for civilians. The use of various hacking technologies poses clear risks to those they are used against and to the wider public, which requires the addition of a technical proportionality test. I hope the Government are prepared to consider the amendment seriously.

Photo of Keir Starmer Keir Starmer Shadow Minister (Home Office)

It is a pleasure to continue to serve under your chairmanship, Mr Owen. I echo your sentiments in relation to Her Majesty the Queen. [Hon. Members: “Hear, hear!”]

I have little to add to the hon. and learned Lady’s comments in support of the amendments, other then to outline why they were tabled. Clause 91(1) sets out the power to issue warrants, and paragraphs (a) and (b) outline the familiar necessity and proportionality tests, which bite on the very wide provisions of subsection (5). The Secretary of State therefore has to consider whether issuing a warrant is necessary for one of those broad purposes—

“national security…preventing or detecting serious crime, or…in the interests of the economic well-being of the United Kingdom”.

That is obviously a broad necessity test, and proportionality is assessed by reference to the same grounds. The provision is over-broad, which matters because the double lock works only if a judicial commissioner has scrutiny of the Secretary of State’s decision. If the Secretary of State’s decision is so wide, the judicial commissioner’s scrutiny will be correspondingly wide. That matters particularly in relation to the targeted examination warrants, which will be used where a wider bulk power has been exercised in the first place. The amendments would tighten the necessity and proportionality tests, giving them real practicality and effect.

Photo of John Hayes John Hayes Minister of State (Home Office) (Security)

It is a pleasure to serve under your chairmanship once again, Mr Owen, particularly on the auspicious occasion of Her Majesty’s birthday. The Solicitor General and I are members of a diminishing group who still hold to the spirit, and perhaps even the actuality, of the divine right of kings.

Chivalry forbids me from paying but scant attention to the fact that the hon. and learned Member for Edinburgh South West spoke to amendments not in this group. I will not spend too much time responding to what she said, but I might be able to respond to her a little when we come to the next group.

Photo of Joanna Cherry Joanna Cherry Shadow SNP Westminster Group Leader (Justice and Home Affairs)

I realised that I had done that inadvertently, for which I apologise. I will not add insult to injury by repeating my submission when we get to the next group. I look forward to hearing what the Minister has to say.

There will be a lot of that today, because we have addressed many of these issues in greater detail previously and we will be moving on. Hopefully that will help, rather than hinder, proceedings.

Photo of John Hayes John Hayes Minister of State (Home Office) (Security)

That brings me to the amendments before the Committee. It is important at the outset to re-emphasise that these powers are essential to protect against cyber-attacks by serious criminals and hostile states, and it is because GCHQ and others have such powers that our data and cyber-security is safer. That is not merely my estimation; it is the estimation of a number of major businesses that are susceptible to such attacks. In the past two years, the security and intelligence agencies have disclosed vulnerabilities in every major mobile and desktop platform, including in some of the biggest businesses and organisations in this country.

It is sometimes said that although crime is declining, it is also changing—I think that has been said by right hon. and hon. Members in all parts of the House. That is certainly true, and the additional vulnerabilities as a result of technological change are something that Government must be conscious of and respond to with appropriate flexibility.

Some of the vendors who have been protected by the actions I have described have publicly credited UK intelligence agencies with finding such weaknesses. For example, in September last year Apple credited the information assurance arm of GCHQ with the detection of a vulnerability in its iOS operating system for iPhones and iPads, which could have been exploited to allow the unauthorised modification of software to extract information from devices or to disrupt their operation. For the record, that vulnerability has now been patched. It is important to understand that the powers exercised under the clause are an appropriate defence against the change I have described in the character of crime.

Clause 91 sets out the grounds on which the Secretary of State may issue a targeted equipment interference or examination warrant to the agencies: to detect serious crime, in the interests of national security, or in the interest of economic wellbeing, about which we had quite a long discussion. I do not want to rehearse all of that debate, but I want to reiterate, because I feel so strongly about it, that that provision is not about partisan, party political pursuit of particular groups. I know that there has been concern among trade unions and others that Ministers should give that assurance, but also that it should be reinforced in the Bill. We will continue to discuss that, I suspect, but I have made it clear previously and repeat now that that is neither our intention nor the purpose of the powers, and we will do all that is necessary to make that clear.

Photo of Joanna Cherry Joanna Cherry Shadow SNP Westminster Group Leader (Justice and Home Affairs) 11:45, 21 Ebrill 2016

The Minister is generous in giving way. I fully accept his good faith in saying that that is not the intention or purpose, but he cannot bind future Governments. In saying that it is not the intention or purpose, he clearly recognises that there is a weakness and that the provision could be interpreted in the way that has been suggested. That is our concern: we are putting on the statute book a measure that might be exploited by a less scrupulous Government.

Photo of John Hayes John Hayes Minister of State (Home Office) (Security)

I am happy to draw to the attention of any future Investigatory Powers Commissioner the fact that that is not the case and will not be under the Bill. Of course the hon. and learned Lady is right: whether this is a good or a bad thing I leave it to others to judge, but I cannot bind future Governments. However, we can certainly consider and reconsider ways in which the message can be reinforced during the passage of the Bill. I do not want to go too much further, but I think that the signal I am sending will have been seen by people on this Committee and elsewhere.

Photo of Keir Starmer Keir Starmer Shadow Minister (Home Office)

I am grateful to the Minister for putting that on the record, because there is concern. If the intention or purpose is not as has been suggested, will he give consideration to how that fact can find form in the Bill and be clear for all to see, just as the record will be clear?

Photo of John Hayes John Hayes Minister of State (Home Office) (Security)

Yes. It would absolutely not be permitted under the Bill. I do not want to go over it exhaustively, but that reinforces a series of pieces of legislation that deal with the question, many of which have been passed since the talisman case of the Shrewsbury 24, which has been raised in the House a number of times in different ways. However, I take the hon. and learned Gentleman’s point that there is a compelling case to be made for further consideration and assure him that we are engaged in that. I will not say more at this stage, but a signal has been broadcast to this Committee and elsewhere. My prejudices on these matters as a trade unionist are well known, although it is not my prejudices that shape legislation—heaven forbid.

To return to the amendment, it would restrict equipment interference warrants under clause 91 in circumstances

“where there is reasonable suspicion that a serious criminal offence has been or is likely to be committed”.

Again, I do not want to go over this exhaustively, but the problem with that is the character of investigations, which are by their nature dynamic; it is not always possible to anticipate the direction they might take or the material they might uncover. Not every individual involved in an investigation would themselves be suspected of committing a serious criminal offence, but their relationship with wider associates and potential facilitators of a crime might be crucial to identifying the extent of the organised crime gang and its international links and bringing the ringleaders to justice.

Restricting equipment interference warrants to where there is a serious criminal offence would be a significant reduction in the security and intelligence agencies’ current powers. I repeat: current powers. They are not new. We know how they are used and the effect of their use, but the amendment would restrict their ability to protect the national interest. Do not forget—not that you would, Mr Owen—the necessity and proportionality tests in the Bill that limit the circumstances in which the powers can be used, alongside the double lock.

My straightforward case is this: the powers are vital, to curtail them would damage our interests, and they are not here for any of the unintended consequences that people are understandably concerned about. I am prepared to look at how we can reinforce that. I invite the hon. and learned Lady to withdraw the amendment.

Photo of Joanna Cherry Joanna Cherry Shadow SNP Westminster Group Leader (Justice and Home Affairs)

Before I make my position on the amendments clear, it was remiss of me not to add the sincere good wishes of the Scottish National party to Her Majesty the Queen on the auspicious occasion of her 90th birthday.

When we looked at similar issues under part 2, we did not push the matter to a vote, and that is the course of action I wish to follow at this stage. I will withdraw the amendment now, but no doubt the whole issue of judicial warrantry will be revisited on the Floor of the House. I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Photo of Keir Starmer Keir Starmer Shadow Minister (Home Office)

I beg to move amendment 465, in clause 91, page 70, line 18, leave out from “include” to end of line 19 and insert—

“(a) the requirement that other proportionate methods of obtaining the material have been tried without success or have not been tried because they were assessed to be bound to fail, and

(b) the requirement that a risk assessment has been conducted by the Investigatory Powers Commissioner’s technical advisors with regard to the specific equipment interference proposed, accounting for—

(i) the risk of collateral interference and intrusion, and

(ii) the risk to the integrity of communications systems and computer networks, and

(iii) the risk to public cybersecurity.”

With this it will be convenient to discuss the following:

Amendment 415, in clause 93, page 71, line 35, leave out from “include” to end of line 36 and insert—

“(a) the requirement that other proportionate methods of obtaining the material have been tried without success or have not been tried because they were assessed to be bound to fail, and

(b) the requirement that a risk assessment has been conducted by the Investigatory Powers Commissioner’s technical advisors with regard to the specific equipment interference proposed, accounting for—

(i) the risk of collateral interference and intrusion, and

(ii) the risk to the integrity of communications systems and computer networks, and

(iii) the risk to public cybersecurity.”

Amendment 435, in clause 96, page 74, line 13, leave out

“whether what is sought to be achieved by the warrant could reasonably be achieved by other means” and insert—

“(a) the requirement that other proportionate methods of obtaining the material have been tried without success or have not been tried because they were assessed to be bound to fail, and

(b) the requirement that a risk assessment has been conducted by the Investigatory Powers Commissioner’s technical advisors with regard to the specific equipment interference proposed, accounting for—

(i) the risk of collateral interference and intrusion, and

(ii) the risk to the integrity of communications systems and computer networks, and

(iii) the risk to public cybersecurity.”

Photo of Keir Starmer Keir Starmer Shadow Minister (Home Office)

One of the advantages of us all—me included—straying beyond the strict limits of the previous set of amendments is that there is nothing I can meaningfully or helpfully add on amendment 465, which would tighten the necessity and proportionality test for the reasons already articulated. I will say no more other than to indicate that I do not intend to press the amendment to a vote.

Photo of John Hayes John Hayes Minister of State (Home Office) (Security)

As the hon. and learned Gentleman says, we have covered the ground pretty exhaustively. Essentially, the amendments would change the language of the safeguard, requiring that alternatives must either be tried or be discounted because they were “bound to fail”. In the end, “bound to fail” is clearly too high a hurdle. Investigating agencies would have to waste time and resources, and interfere unnecessarily with people’s equipment trying out alternative ways to gather intelligence that they thought were likely to be successful and not bound to fail.

The amendments would require that in deciding to issue an order the Secretary of State or law enforcement chief must take into account the technical cyber risk assessment by the Investigatory Powers Commissioner. Given GCHQ’s track record of dealing with cyber-vulnerabilities of the kind that I described earlier—I will not go into further detail about that—and given that the code of practice requires that

“Any application for an equipment interference warrant should contain an assessment of any risk to the security or integrity of systems or networks that the proposed activity may involve including the steps taken to appropriately minimise such risk”,

and that

“The issuing authority should consider any such assessment when considering whether the proposed activity is proportionate”,

I believe that these amendments are unnecessary. Accordingly, I invite the hon. and leaned Gentleman to withdraw them.

Photo of Keir Starmer Keir Starmer Shadow Minister (Home Office)

I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Photo of Joanna Cherry Joanna Cherry Shadow SNP Westminster Group Leader (Justice and Home Affairs)

I beg to move amendment 408, in clause 91, page 70, line 25, at end insert—

‘(10) Targeted equipment interference is only lawful if authorised under this Act.”

The amendment would require that targeted equipment interference cease to be conducted under the Intelligence Services Act 1994, the Police Act 1997 or indeed any other prior legislation, and instead be conducted under the provisions of the Bill. The Bill is a consolidated piece of legislation, and we tabled this amendment in the spirit of the Government’s laudable attempt to consolidate the legislation in this area. The amendment would ensure that equipment interference always benefits from the safeguards and oversights in the Bill. As we just set out, the Opposition parties want the safeguards to go further, but even if they remain as they are we would like them to apply to all targeted equipment interference. That would improve public accountability and clarify the state’s powers.

The Intelligence and Security Committee’s report on the draft Bill expressed concern about the fact that agencies conduct several forms of equipment interference that are not provided for in the Bill, so it is not just Opposition Members who are concerned. The ISC said that

“certain IT operations will require a different standard of authorisation…than Computer Network Exploitation and that similar activities undertaken by the Agencies will be authorised under different pieces of legislation.”

It concluded that, if that remains the case, the Bill will have failed to achieve transparency; operations will remain secret and thus not be subject to clear safeguards. It recommended that

“all IT operations are brought under the provisions of the new legislation…with the same authorisation process and the same safeguards.”

The amendment reflects the Intelligence and Security Committee’s recommendation that all types of equipment interference should be governed under one clear piece of legislation. I will be grateful if the Government take it on board in the spirit in which it is intended.

Photo of John Hayes John Hayes Minister of State (Home Office) (Security)

I will deal with this very briefly. The hon. and leaned Lady is right that the amendment is neither invidious nor unhelpful; however, it is unnecessary because there is already a broad prohibition of unlawful interference with equipment in the Computer Misuse Act 1990. That means that any activity that fits within the definition of equipment interference provided in the Bill may constitute an offence unless it is lawfully authorised under part 6 of the Bill, where that authorisation is detailed, or under other relevant legislation.

On the hon. and leaned Lady’s point about activities outside the United Kingdom—a prevailing theme of her concerns, understandably—the Bill sets out the circumstances in which it is mandatory for the agencies to obtain a warrant. That does not include cases in which the conduct takes place wholly overseas. The reality of operating outside our jurisdiction, as she knows, is quite different from operations conducted within or from the British islands. It is not our intention to introduce clauses that inhibit the agencies’ ability to act with agility or flexibility. I think that the amendment certainly does not assist in that regard, and is unnecessary. I hope she will withdraw it on that basis.

Photo of Joanna Cherry Joanna Cherry Shadow SNP Westminster Group Leader (Justice and Home Affairs)

Like the ISC, I am not wholly convinced by the Minister’s argument, but I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Question proposed, That the clause stand part of the Bill.

With this it will be convenient to take the following:

New clause 8—Equipment interference: risk assessment—

“A person making an application for a warrant involving equipment interference must make a detailed assessment of—

(a) the risk to the security or integrity of systems or networks that the proposed activity may involve;

(b) the risk to the privacy of those not being specifically targeted;

(c) the steps they propose to take to minimise the risks in subsection (a) and (b).

New clause 9—Critical national infrastructure: risk assessment—

“The person making an application for a warrant under this part must make a detailed assessment of the risks of the proposed activity to any critical national infrastructure.”

Photo of Joanna Cherry Joanna Cherry Shadow SNP Westminster Group Leader (Justice and Home Affairs)

The new clauses were tabled by the Scottish National party and reflect the arguments I made in support of amendment 465 on the necessity of carrying out risk assessments in advance of issuing a warrant. They are very much a corollary of that, and as that amendment has been withdrawn, I will not press the new clauses for the time being.

Question put and agreed to.

Clause 91 accordingly ordered to stand part of the Bill.

Clause 92 ordered to stand part of the Bill.

Clause 93