Bulk equipment interference warrants: general

Investigatory Powers Bill – in a Public Bill Committee am 2:00 pm ar 26 Ebrill 2016.

Danfonwch hysbysiad imi am ddadleuon fel hyn

Question (this day) again proposed, That the clause stand part of the Bill.

Photo of Joanna Cherry Joanna Cherry Shadow SNP Westminster Group Leader (Justice and Home Affairs)

It is a pleasure to welcome you back to the Chair, Mr Owen. Before the Committee adjourned for lunch, I was addressing clause 154, which is the opening clause of chapter 3 of part 6 of the Bill and deals with bulk equipment interference warrants. I explained that the Scottish National party wishes to see these provisions removed until such a time as the Government have produced what we consider to be an adequate operational case.

Bulk equipment interference is often described colloquially as hacking or bulk hacking. The guide to powers that accompanied the draft Bill made it clear that bulk hacking is a significant step beyond conventional surveillance powers, and remarked that bulk equipment interference is

“used increasingly to mitigate the inability to acquire intelligence through conventional bulk interception and to access data from computers which may never otherwise have been obtainable.”

Labelling mass interception powers as conventional is a bit odd when the Bill avows them for the very first time. The quote I just read out also underlines the fact that the Bill makes a considerable demand for unbridled access to all information. That is particularly worrying in the light of the very broad definition of “equipment” that is found in this part of the Bill. I am sure you will forgive me for skipping forward slightly, Mr Owen, but this does relate to clause 154. Clause 173 defines equipment as

“equipment producing electromagnetic, acoustic or other emissions or any device capable of being used in connection with such equipment”.

That is very open-ended and could even include cars and aircraft, which relates to the analogy with fighter aircraft that I made earlier. We are concerned that the power is open to potential abuse—not necessarily, as I have said before, by the current Government, but possibly by future UK Governments, as well as by other states that will follow our lead in legislation—because there is such loose language.

Following scrutiny of the draft Bill, the Intelligence and Security Committee reported that

“the Committee has not been provided with sufficiently compelling evidence as to why the Agencies require Bulk Equipment Interference warrants” and

“therefore recommends that Bulk Equipment Interference warrants are removed from the new legislation.”

Before we adjourned this morning, I alluded to the fact that David Anderson QC had expressed concern about bulk equipment interference and said that he had not addressed the necessity and proportionality of such a power.

Despite what the ISC said, the power for bulk equipment interference warrants remains in the Bill. My argument is that that is rather concerning because bulk hacking, as I will call it, is by its very nature indiscriminate, as acknowledged in the draft Bill’s explanatory notes, which state that

“bulk equipment interference is not targeted against particular person(s), organisation(s) or location(s) or against equipment that is being used for particular activities”.

Instead, systems, services and software that have been carefully constructed to provide security are intentionally corrupted by bulk hacking to impose the eyes and ears of the intelligence agencies on every phone call, text message and web click.

To use an analogy from the offline world, granting this power would be equivalent to allowing the secret services to break into an innocent person’s house, bug it and leave broken windows for anyone else to get in, without the person knowing it has happened. The problem with the digital world is that the data can be rich and revealing, as I said this morning on communications data. Most of us put everything online nowadays, and our equipment will therefore be like a filing cabinet, with diaries, calendars, video archives, photo albums, bookshelves, address books and correspondence files.

Digital forced entry entails not only intrusion into highly personal spaces but control over those spaces. The individual who has hacked into a piece of equipment can not only access what is stored on it but add or delete files, send messages from it masquerading as the person to whom it belongs, turn it on or off and covertly activate cameras and microphones. It really is quite extraordinarily intrusive.

We heard about that in evidence on 24 March, when Eric King referred to GCHQ’s Optic Nerve programme, which involved hacking into webcams. Whatever one might think of it, many people use webcams for sex chat online. I am not talking about people who abuse children, which is obviously utterly reprehensible. Many consenting adults send indecent images to one another online using webcams. If they are doing that in the privacy of their own homes, and it is not illegal or hurting a child, I do not see any problem with it.

GCHQ’s Optic Nerve programme broke into individuals’ privacy. Such extraordinary power over the private lives of citizens fundamentally alters the relationship between citizen and state. If we allow this to go ahead without a proper operational case, it could breed distrust in law enforcement, which could have significant repercussions for the rule of law.

The equipment interference and bulk hacking envisaged in clause 154 have security repercussions. I alluded to those last week, so I will not go into detail. However, if we create a weakness in a piece of equipment in order to let the good guys, as in the security services in, that weakness exists as a portal for the bad guys, as in criminals and terrorists, to get into the same equipment.

There are serious security concerns about bulk interference. This power is especially excessive, dangerous and potentially destructive. It is one of the most intrusive powers in the Bill, and it jeopardises the privacy of ordinary, innocent people who live in these islands. SNP Members urge fellow members of this Committee and parliamentarians to follow the Intelligence and Security Committee’s advice and remove these bulk equipment interference powers from the Bill until a convincing case has been made for not only their utility but their necessity and proportionality.

Photo of Keir Starmer Keir Starmer Shadow Minister (Home Office)

I, too, welcome you back to the chair, Mr Owen. This bulk power is, like the others, very wide. Equipment interference includes what is commonly known as hacking, which can be done remotely or by attaching monitoring devices to computers or communications equipment. As has been mentioned, equipment is defined very broadly, covering anything that produces electromagnetic or other emissions. The power is therefore very wide.

It is unsurprising that the ISC was initially sceptical and that David Anderson has raised a number of concerns. I will not repeat the points made by the hon. and learned Member for Edinburgh South West, who spoke for the SNP, but I want to draw attention to the relationship between this bulk power and thematic warrants, which was one of the concerns raised by David Anderson.

If one looks at the structure of clause 154(1), skipping for the moment subsections (2) and (3), and lays it alongside clause 88, the similarities in the description of the warrant are apparent. Part 5 deals with equipment interference and targeted warrants; chapter 3 of part 6 deals with bulk equipment interference warrants. Clauses 154 and 88 are very similar in structure and scope—the difference is that clause 90 qualifies clause 88. The difference we are discussing is that we have, in essence, the same power for equipment interference, but we do not have the qualification of the subject matter that is clause 90. We have already discussed clause 90 at some length and, for a targeted power, it is itself extremely wide.

Photo of John Hayes John Hayes Minister of State (Home Office) (Security)

On the specific point made by the hon. and learned Gentleman in relation to the connection between clauses 90 and 88, in contrast with the matters we are now discussing, the whole point about clause 90 is that it deals with the particularity associated with warrants that are, by their nature, targeted, whether individually, or thematically as a group, some of which are known to the intelligence services. Bulk matters are by their nature less particular, so could not be subject to the same qualification.

Photo of Keir Starmer Keir Starmer Shadow Minister (Home Office)

I am not making the argument that those warrants should be subject to the same qualification. I am drawing attention to the fact that clause 90 is what, in essence, turns clause 88 into a targeted or thematic warrant, rather than a bulk warrant. The qualification is left out in connection with clause 154, which deals with a bulk power. I am not suggesting that one borrows clause 90 into this chapter, because otherwise we would simply be rewriting the same provision.

The point I am making is that the concern about clause 90 in relation to themed warrants was that it was a very wide provision in its own right. I think David Anderson went as far as to say that it was hard to see what could not, in truth, be caught within a thematic warrant under clause 90. We have a very wide power there, drawing attention to the breadth of the power under clause 154, which is everything over and above what is already a thematic warrant power under clause 90. That indicates why an operational case is so important in relation to the bulk power. One has a very wide bulk power that is distinguished from what is already a very wide thematic power. That reinforces the need for an independent evaluation of an operational purpose that makes the case for this even wider power.

As far as the safeguards are concerned, clause 156 is, in familiar terms, referencing necessity and proportionality, but to the wide national security grounds falling under subsection (2)—the familiar phrasing. It is the same scheme for these warrants. Then, skipping forward to clause 161, there are the same limits on operational cases, so one has a very wide necessity and proportionality test for the warrant in the first place, then a reference back, in essence, to the same test when getting to the requirements that must be met by warrants. I have made this case this morning and, I think, last Thursday, so I will not repeat it further.

I want to draw attention to the breadth of the power and to underscore why a better and evaluated operational case is needed when one is going on beyond what is already a very wide thematic warrant.

Photo of John Hayes John Hayes Minister of State (Home Office) (Security) 2:15, 26 Ebrill 2016

We had a lengthy debate on these matters this morning, but it is worth repeating. It was Proust who said:

“A powerful idea communicates some of its strength to him who challenges it.”

On that basis, I am hoping to communicate still more of the strength of my argument as a result of amplifying it, but with appropriate brevity, I hope. Let us be clear: bulk powers matter. They matter for the reasons I set out earlier, and that case is made—convincingly, in my judgment—in “Operational Case for Bulk Powers”, which was published by the Government in response to the criticisms of those who considered these matters early on and felt there was a need for greater explanation of the case for them.

Bulk equipment interference is particularly addressed on page 6 of that document. It says:

“This involves the acquisition of communications and equipment data directly from computer equipment overseas. Historically, this data may have been available during its transmission through bulk interception”.

This is the key point:

“The growing use of encryption has made this more difficult and, in some cases, equipment interference may be the only option for obtaining crucial intelligence. As with bulk interception this is an overseas collection capability.”

We are here talking about a power that is used at present, and is of growing significance to our agencies in combating the threat that they face.

The Investigatory Powers Tribunal, has made clear that

“the requirement for a balance to be drawn between the urgent need of the Intelligence Agencies to safeguard the public and the protection of an individual’s privacy and/or freedom of expression” matters. It also stated:

“We are satisfied that with the new E I Code, and whatever the outcome of Parliamentary consideration of the IP Bill, a proper balance is being struck in regard to the matters we have been asked to consider.”

The evidence that we have before us suggests, and I use that judgment as an example, that those who oversee these matters gauge what is already happening, and what is proposed, to be appropriate. Having said that, it is important that we test those arguments closely in this Committee—that is part of the Committee’s purpose, after all.

The hon. and learned Gentleman and the hon. and learned Lady drew attention to David Anderson’s remarks. David Anderson asked why equipment interference warrants were required, given the possible breadth of targeted thematic warrants of the kind that have been discussed. I say this: clear and important distinctions between bulk equipment interference and targeted thematic operations are set out in paragraph 4.38 of the draft equipment interference of the code of practice.

Members will be able to study that code in detail, but for their convenience, bulk equipment interference includes the additional safeguards of the bulk regime and is an important capability in its own right. Both bulk equipment interference and targeted thematic equipment interference operations can take place at scale if the relevant criteria are met. However, targeted equipment interference warrants are limited by the need to assess proportionality at the outset. A bulk equipment interference warrant is likely to be required in circumstances where the Secretary of State is not be able to assess the extent of every interference to a sufficient degree at the time of issuing the warrant. The additional access controls at the examination stage are required to ensure the necessity and proportionality of any interferences that cannot be assessed fully at the outset.

It seems to me that that is the essence of this argument. Both have their place, and both are subject to checks and balances, and to safeguards and protections. In terms of the effect of those safeguards, I think we can all conclude, based on the evidence before us and what we know is already happening and is proposed in the Bill, not only that what is happening now is proportionate and reasonable, but that the Bill goes even further in adding to those safeguards.

In essence, my argument is pentadactyl—it has five fingers. First, this power is necessary; secondly, it is already in existence; thirdly, those who oversee these things have gauged it to be necessary and proportionate; fourthly, the Government have responded to early scrutiny by tightening safeguards through the codes of practice and explaining them more fully; and fifthly, the Bill goes still further than all the existing good practice. That seems to me to be a persuasive argument.

Photo of John Hayes John Hayes Minister of State (Home Office) (Security)

I give way to the hon. and learned Gentleman to explain why it is not.

Photo of Keir Starmer Keir Starmer Shadow Minister (Home Office)

My purpose is not to explain why it is not. That is not always the purpose of these interventions. We are probing the adequacy of the safeguards, which is the proper role of the Committee.

I had marked up that paragraph in the operational case, because, as the Minister has said, it makes the case that, at the outset, certain assessments of necessity and proportionality cannot be made. It says in terms:

“The additional access controls at the examination stage are required to ensure the necessity and proportionality of any interference that cannot be assessed fully at the outset.”

I know that I have said this before, but I really want to make it clear. At the outset, the test of necessity and proportionality is against the operational case and the operational case is specified in the terms in clause 161(5), which takes a familiar form: the operational case cannot be so general that it is merely national security, but it can be general. We have been around that circle, but that is the test at the outset and I have made my comments about that.

The problem is that the test is the same when it comes to examination. Under clause 170, which deals with the safeguards in relation to examination, selection is defined as proportional and necessary so far as it is in accordance with the test in clause 161. This point is central to what is said in the operational case. If the test were different at each stage, I would accept that the argument was logically right, but the test is in fact the same. I see that as a deficiency and I am probing for clarity.

Photo of John Hayes John Hayes Minister of State (Home Office) (Security)

I acknowledge that it is certainly true that much rests on the operational case. In all our sermocinations, it has been clear to me that the hon. and learned Gentleman has identified that as crucial in advancing his argument that we need to provide still more transparency. He has done so in a reasonable way, because he acknowledges that there is a line to be drawn between the explanation of that case and revealing what cannot reasonably be said publicly because it would compromise the work of the agencies. I acknowledge that.

Of course, what the hon. and learned Gentleman did not say, although he knows it—perhaps he felt that there was no need to say it—is that the warrant must be deemed to be necessary for one of the core reasons: national security, serious crime or, where it is linked to national security, economic wellbeing. Access to the data must be deemed to be necessary on the grounds of the operational purposes. There is a test at each stage of the process and, in my judgment, that test is robust, but I again acknowledge that there may be a virtue in being clearer about the operational case. I was making a point about existing power—that power is currently available through the Intelligence Services Act 1994. Therefore, it is not new, but the safeguards are. Drawing those together in a single place, and therefore allowing the more straightforward exploration of both their purpose and their effect, is certainly new.

Above and beyond that, the oversight that is given additional strength in the later part of the Bill is there to ensure that all that is done meets the test that we have set, in terms of protecting private interests and so on. I acknowledge the argument about the operational case being a powerful one, but I think the structure of what we have put together stands scrutiny.

There is another argument that has not been used much in the Committee. In a sense, I hesitate to explore it now because in doing so I may be opening a hornets’ nest, but I am not a timid Minister, so why would I not want to face the stings that I might unleash? It is necessary to make the language future-proof, as far as one reasonably can. One of the criticisms of what we are doing—bringing the powers together in a single Bill, creating safeguards of the type we are building, trying to be as comprehensive as we can in this legislation—is that, because of the rapidly changing character of technology and the resultant effect that that has on both the threat and our ability to counter it, this legislation may be relatively short-lived.

If we look, albeit with the benefit of hindsight, at what has happened previously, we see that the legislation that the Bill replaces has, for the most part, been iterative—it has been a response to that dynamism. The language in the Bill is designed to be as carefully constructed as possible to allow the Bill to stand the test of time. Central to that is the advent of the double-lock mechanism, which should ensure that the powers are not misused by a future Government. That relates to something the hon. and learned Member for Edinburgh South West said in a previous sitting of the Committee. I think she argued that I cannot bind the future, and I said, with some reluctance, that that was true.

Photo of Joanna Cherry Joanna Cherry Shadow SNP Westminster Group Leader (Justice and Home Affairs)

Jo Cavan from IOCCO—the Interception of Communications Commissioner’s Office—told us on 24 March that the double lock and warrantry applies to only 2% of authorisations under the Bill. Does the Minister agree that he should be very cautious praying in aid the double lock as a safeguard when it applies only to such a small percentage of authorisations?

Photo of John Hayes John Hayes Minister of State (Home Office) (Security)

Yes, but the hon. and learned Lady knows well that the double lock applies to some of the most contentious parts of the process and, at the end of the day, is the involvement of the judiciary in a process that has been exercised at the sole discretion of the Executive up until now. The significance of that marriage between Executive authority and judicial involvement is considerable. All but the most mean-spirited of critics would want to warmly acknowledge that, and I see the warmth emanating from the hon. and learned Lady as she rises.

Photo of Joanna Cherry Joanna Cherry Shadow SNP Westminster Group Leader (Justice and Home Affairs) 2:30, 26 Ebrill 2016

I am not going to be mean-spirited. I acknowledge that the Government have made a significant step in the right direction by introducing judges into the warrantry process. I have my reservations about the degree of the introduction—I would like to see full-blown judicial warrantry—but my point is about how far that double-lock process can be seen as a safeguard when it applies to only 2% of the authorisations under the Bill. My point is not that it is not a safeguard but that it applies to only 2% of authorisations.

Photo of John Hayes John Hayes Minister of State (Home Office) (Security)

The double lock applies to all the most intrusive powers. We can have a debate about whether—I do not want to put words into the hon. and learned Lady’s mouth—she wanted to rob the Executive, rob the people’s representatives, of all their authority. She may have felt that it was unnecessary for those accountable to the people—the personification, as I hope I am, of the people’s will—to have any involvement in these matters, but I do not take that view. I believe in representative government and I think we have got absolutely right the marriage between Parliament and the judiciary—but we stray, I sense, from the precise detail of this part of the Bill.

My judgment is that we have reached the place that we need to get to in order to get the marriage between safeguard and effectiveness right, with the caveat that I have already introduced on the operational case, and in the knowledge that a bulk equipment interference warrant can be used to authorise the selection and examination of material obtained by the warrant and does not require a separate examination warrant and permits the disclosure of material acquired in the manner described in the warrant. I think that this is an important additional power and on that basis I hope that the Committee will agree to this part of the Bill.

Question put, That the clause stand part of the Bill.

The Committee divided:

Ayes 9, Noes 2.

Rhif adran 69 Christmas Tree Industry — Bulk equipment interference warrants: general

Ie: 9 MPs

Na: 2 MPs

Ie: A-Z fesul cyfenw

Na: A-Z fesul cyfenw

Question accordingly agreed to.

Clause 154 ordered to stand part of the Bill.

Clause 155