Implementation of warrants

Part of Investigatory Powers Bill – in a Public Bill Committee am 2:00 pm ar 21 Ebrill 2016.

Danfonwch hysbysiad imi am ddadleuon fel hyn

Photo of Gavin Newlands Gavin Newlands Scottish National Party, Paisley and Renfrewshire North 2:00, 21 Ebrill 2016

It is a pleasure to serve under your chairmanship, Mr Owen. May I add to your comments that I will miss the exchanges with the hon. Member for North Dorset? I wish his replacement well.

Clauses 109 and 110 deal with issues about compelling a third party to provide assistance in the execution of a warrant and extraterritoriality, which is the subject of amendment 293. In speaking to the amendment, and to the clause more generally, I will unavoidably stray into matters relating to clause 110, as the two are inextricably linked.

Clause 109 provides the UK Government with the power to issue warrants that in turn force third-party organisations or individuals outside the UK to assist in acquiring information for the means of equipment interference. The clause states that

“any person whom the implementing authority considers may be able to provide such assistance” can be served with a warrant to assist in carrying out a targeted hacking warrant. Under clause 110(2), this warrant may be served at a person’s principal office or specified address in the UK, or by making it available for inspection in the UK after appropriate steps have been taken to bring the contents of the warrant, and its very existence, to the attention of the person.

First, the problem here is the lack of judicial authorisation in this part of the process. Privacy International rightly points out that this compelled assistance will not be subject to judicial authorisation. Although law enforcement and security and intelligence agencies will have to seek a warrant to gain access to people’s devices and computers, it is correct that those authorities are not required to seek judicial approval to compel technology companies to assist in their investigations.

Secondly, we should be mindful of the difficulty that this places on any individuals or organisations who are forced to comply with the Government’s demands. These issues were heard by the Science and Technology Committee, where serious concerns were raised about the security implications of forcing companies to, for example, upload and install malware, as well as the fear that equipment interference could jeopardise their business model. The Science and Technology Committee took note of these issues and concluded that

“the industry case regarding public fear about ‘equipment interference’ is well founded.”

Amnesty International UK is deeply concerned about the dangerous precedent that this broad, aggressive power will set in forcing third-party companies to engage in hacking without any independent provision or scrutiny, and to do so in secret.

Thirdly, the extraterritorial measures in clauses 109 and 110 may cause more problems than they solve. That is why amendment 293, which stands in my name and that of my hon. and learned Friend the Member for Edinburgh South West, seeks to delete subsection (3) entirely, thereby removing the extraterritorial aspect. If we serve hacking warrants on those outside the UK, what sort of message does that send to other countries? We need to be mindful that introducing this type of clause could open the floodgates for other countries to follow suit, which will ultimately have an impact on companies based in the UK. That point was articulated by Yahoo!, which said:

“Extraterritoriality encroaches on the sovereign rights of other governments and risks retaliatory action, including against UK CSPs operating overseas.”

On that point, the Government’s independent reviewer’s report suggests that, when countries seek to extend their legislation extraterritorially, those powers may come into conflict with legal requirements in the country in which companies being asked to comply with a legal request are based. Companies explained to the reviewer that they did not consider it was their role to arbitrate between conflicting legal systems. The protection of vital human rights should not be left to the goodwill and judgment of a company. The concerns of the industry were articulated in this perfect quote. The industry

“expressed concerns that unqualified cooperation with the British government would lead to expectations of similar cooperation with authoritarian governments, which would not be in their customers’, their own corporate or democratic governments’ interests.”

I shall finish with this comment from Yahoo! It states:

“The current legal framework comprises the law in the requesting country, law in the receiving country and the international agreements that connect the two.”

It is additionally possible that the requesting and receiving countries’ laws may be in conflict. For example, the receiving country’s law may outlaw the provision of content data outside their own legal process. It continues:

“Taken as a whole, this framework is fragmented, with gaps and conflicts which have gone unaddressed for many years. In this more global communications environment, this fragmentation has become more and more obvious and creates a patchwork of overlapping and conflicting laws which overseas and domestic UK CSPs must navigate in order to discharge their legal obligations to safeguard users’ privacy and to respond appropriately to valid requests for access to data… It also creates a complex environment for users to navigate and establish their privacy rights.”

This issue is global, and national laws cannot resolve global issues.