Investigatory Powers (Amendment) Bill [Lords] – in a Public Bill Committee am 3:30 pm ar 7 Mawrth 2024.
I beg to move amendment 6, in clause 21, page 45, line 7, leave out first “person” and insert “relevant operator”.
This amendment and amendments 7, 8, 10, 11, 12 and 13 provide that the expression “relevant operator” is used consistently in inserted sections 258A and 258B of the Investigatory Powers Act 2016.
With this it will be convenient to discuss the following:
Government amendments 7 to 13.
Clause stand part.
Clause 21 is required to safeguard lawful access to critical data, which is needed by law enforcement and intelligence agencies to keep the public safe from serious threats such as terrorism and child sexual exploitation.
Technology has advanced rapidly since 2016, presenting a risk to lawful access capabilities. Notification notices have been introduced in response to technological advancements and will require relevant operators who provide, or are expected to provide, lawful access to data of significant operational value to inform the Secretary of State of any technical changes that they intend to make that will have an impact on existing lawful access capabilities.
The requirement will apply only to relevant services or systems specified within the notice, which will be agreed in consultation with the operator, prior to the notice being given, and will not necessarily apply to all elements of their business. It should be noted that technical capability notices already contain a notification requirement; this is not a new concept to the IPA. The clause replicates the power as a standalone obligation within notification notices.
To be clear, there is no ability within the notification process for the Secretary of State to delay, prevent or alter the roll-out of the operator’s intended change. The requirement is needed to provide the Secretary of State—and, by extension, operational partners—with time to identify and evaluate any potential impact that the change may have on lawful access capabilities. It will also be important in giving operational partners time to adjust their ways of working to ensure that lawful access is maintained. The primary objective of the obligation is to create an opportunity for collaborative working between operators and Government to protect the crucial capabilities required to keep people safe.
Amendments 6 to 13 are minor and technical amendments to ensure consistency of language throughout the clause and the IPA.
I want to pursue another line of argument that has been put to members of the Committee. I spoke earlier about the principles of the notification regime; I now want to probe the Government on the extent to which they have considered the possible unintended consequences of setting it up.
The evidence circulated this morning includes a letter from academics and experts from the United Kingdom and across North America, who express considerable concern about the outcome of the proposal. During the last debate, the Minister explained that the justification is that companies from across the world have a reach into children’s homes in the United Kingdom, and it is the duty of this Parliament and legislators to keep them safe. I do not think anyone would dispute that at all.
The experts argue that an unintended consequence of being as radical as the proposal in the Bill is that citizens in the United Kingdom could be less safe. Although the Government are trying to restrict the scope of the regime to what happens in the United Kingdom, in reality it will mean that certain updates and security features will not be rolled out to the United Kingdom. In fact, certain organisations may think twice about developing products for the UK market at all.
I am way outside my comfort zone, so I will go straight to what the experts argue in their evidence:
“If enacted, these proposals would have disastrous consequences for the security of users of services operating in the UK, by introducing bureaucratic hurdles that slow the development and deployment of security updates. They would orchestrate a situation in which the UK Government effectively directs how technology is built and maintained, significantly undermining user trust in the safety and security of services and products.”
They argue that this contains a significant risk of increased cyber-crime, as well as of endangering the encryption of important services. They conclude that
“these proposals are anathema to the best interests of UK citizens and businesses and internet users everywhere, and contradict universally accepted security best practices.”
I want to probe the Government on the extent to which they have considered the possible unintended consequences of how these companies may react to their proposals.
I thank the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East for the way in which he has approached the issue, and I am grateful to him for raising it, but I simply disagree. I disagree on the basis of advice that I have received from intelligence services, from UK-based companies, from the National Cyber Security Centre and indeed from many others.
Let us be quite clear. A notification notice does not create any conflicts of law, prevent any updates or prevent the application of any security patches. The only thing that it does is ask a company to keep the UK Government informed if it is going to change the way the UK Government will be able to protect British people. That has led to somewhat more caution in the reading than is necessary in reality; I have had many conversations with companies about that.
This is a difficult area, but as I understand it, the argument is not that the notification notices themselves have that issue, but that the combination of notices, together with the technical capability notice, the new provisions in relation to review and the status quo, could give the Government that sort of power. That is the argument.
I hear the hon. Gentleman’s point. I will just say that many of these powers have been in place for a significant period. The situation that he describes is not one that we have found or noticed in any way at all. I believe that this is a case of people gilding a lily to turn it into lead.
Amendments made: 7, in clause 21, page 45, line 8, leave out “person’s” and insert “relevant operator’s”.
See amendment 6.
Amendment 8, in clause 21, page 45, line 29, at end insert—
“‘relevant operator’ has the same meaning as in that section.”
See amendment 6.
Amendment 9, in clause 21, page 45, line 35, leave out “notice, as varied,” and insert “variation”.
This amendment provides that references to the variation of a notice are used consistently in Chapter 1 of Part 9 of the Investigatory Powers Act 2016.
Amendment 10, in clause 21, page 46, line 2, leave out first “person” and insert “relevant operator”.
See amendment 6.
Amendment 11, in clause 21, page 46, line 2, leave out second “person” and insert “relevant operator”.
See amendment 6.
Amendment 12, in clause 21, page 46, line 5, leave out “person” and insert “relevant operator”.
See amendment 6.