rose to move, That the Grand Committee do report to the House that it has considered the Regulation of Investigatory Powers (Investigation of Protected Electronic Information: Code of Practice) Order 2007.
The noble Lord said: I shall also speak to the Regulation of Investigatory Powers (Acquisition and Disclosure of Communications Data: Code of Practice) Order 2007.
These orders, made under Section 71 of the Regulation of Investigatory Powers Act 2000, were laid before Parliament on 14 June. The purpose of the Regulation of Investigatory Powers (Acquisition and Disclosure of Communications Data: Code of Practice) Order is to secure approval of a draft code of practice relating to the acquisition and disclosure of communications data under the 2000 Act, its acquisition by public authorities and its disclosure by communications service providers.
Communications data, such as telephone and internet subscriber information, allocation of internet addresses, itemised call records and mobile phone location data, remain a vital tool in the prevention and detection of crime and in safeguarding the public. It is data about who contacted whom and when; it provides evidence of associations between individuals and events in time and place; it can corroborate the testimony of victims and witnesses; it can also provide evidence of innocence. Most importantly, it is not about the content of communications and what was said in telephone calls or written in e-mails.
The provisions of Chapter 2 were implemented in January 2004 and brought long overdue regulation to public authorities’ acquisition of communications data. Exercise of the provisions is under the vigilant oversight of the Interception of Communications Commissioner, Sir Paul Kennedy, assisted by a team of inspectors who scrutinise public authorities’ conduct to obtain communications data.
A draft code of practice has been in place since these provisions were implemented. It has been extensively revised to take account of actual practice and to address issues on which public authorities and communications service providers have sought guidance or clarification. Sir Paul and his inspectors have contributed significantly to the development of the code of practice, as have respondents to a public consultation on the draft. The code presented to Parliament sets out procedures that ensure proper respect for individuals’ human rights and reflect the reality of operational and investigative work.
The application of the code will significantly reduce unnecessarily bureaucratic processes. For example, it makes clear that a senior officer can authorise the obtaining of subscriber information without needing to know which service provider operates the phone number. It also makes clear that it is unnecessary to undertake a subscriber check prior to, or separate from, checking call records; that a single authorisation can cover the acquisition of specific data and the additional data necessary to interpret that; and that, where data is required in an emergency, no special internal paperwork is required but the public authority must collate the evidence of its decision-making from operational logs, which must be available to the commissioner’s inspectors.
The code also makes clear—this reflects operational practice over many years—that where the connection of a 999 emergency call is lost and information is needed to provide emergency assistance to the caller within the so-called “golden hour”, that is outside the arrangements of the Act.
The code makes clear that only appropriately trained and accredited investigators who understand the legislation can engage with communications service providers and spare them from ill informed, impractical or unlawful inquiries.
The Regulation of Investigatory Powers (Investigation of Protected Electronic Information: Code of Practice) Order seeks the approval of a draft code of practice relating to the exercise and performance of the powers and duties under Part 3 of the Act to require the disclosure of protected electronic data in an intelligible form or to acquire a key, or a password, to that data. Part 3 gives public authorities no new powers to seize or acquire data, but it does give them powers, to be used only when necessary and appropriate, to require data they possess or are likely to possess to be made intelligible or to require disclosure of the key that will make the data intelligible.
These provisions are not in force. It has taken longer than was expected in 2000 for the same technologies that have enabled electronic commerce to develop to be taken up by terrorists and criminals to secure their information and to protect and conceal evidence of unlawful conduct.
Equally, encryption tools have remained cumbersome to use properly. That has been exploited by technical facilities such as the National Technical Assistance Centre (NTAC), which processes protected data on behalf of law enforcement and intelligence agencies.
However, these tools are becoming easier to use and are being installed in the standard operating systems of consumer devices. The impact of encrypted data on the work of investigators and their ability to work within statutory custody time limits will continue to increase.
The Government have made it very clear that these provisions would not enter in force until the time was right and not before Parliament had approved a code of practice. The time is now right.
The code of practice addresses issues on which Parliament sought clarification when the primary legislation was considered and debated. It takes account of the comments of respondents to the public consultation. The code makes it clear that the overriding purpose of the provisions is to enable investigators to access lawfully acquired information in an intelligible form, not to access the keys to data.
The power to require disclosure of key material can be expected to be used only where a person who is able to put protected information into an intelligible form indicates that they will not exercise that ability either voluntarily or on compulsion. The power is most likely to be exercised in relation to individuals who are the subject of investigation and responsible for protecting information that the authorities have obtained lawfully and believe to be evidence of unlawful conduct or relevant material to the investigation.
Once the provisions are in force, it will be an offence knowingly to fail to comply with a disclosure requirement, with a maximum penalty of five years’ imprisonment in national security cases or two years in other cases. We have consulted on whether that five-year penalty should be available in cases relating to possession of indecent images of children. I should report to the Committee that there is support for that, which would require amendment of the primary legislation. We will consider taking that step after assessing how well the provisions are used.
When this legislation was debated in Parliament, much concern was expressed that it would criminalise people with poor memories or would reverse the burden of proof in the case of those who claimed to have forgotten or lost keys to their data. The code makes it very clear that, where a person claims not to have had a key to the data, the prosecution must prove the contrary beyond reasonable doubt. If a person claims that they no longer have a key or do not know a key to the data, the prosecution must prove the contrary beyond reasonable doubt.
In direct response to concern expressed in public consultation that technical expertise is required to understand and apply this legislation appropriately, the code of practice makes it clear that no public authority may serve on any person a Part 3 notice without the prior written approval of NTAC. In this way, NTAC will have the crucial role of ensuring that the provisions are used appropriately, expertly and with the highest regard for compliance with the requirements and principles of the Act and the code. NTAC will also help to assure the various oversight commissioners of that.
Recognising the critical importance of the integrity of information security in the financial services sector, and in response to the concerns expressed by Parliament and the public, the code makes it clear that no requirement to disclose a key to protected information should be imposed on any company or firm authorised by the Financial Services Authority without prior notification to the chief executive of the authority or a person designated by him for that purpose.
Finally, as an additional safeguard against abuse, both these codes of practice make it clear that, if an oversight commissioner establishes that an individual has been adversely affected by any wilful or reckless failure by any person within a public authority to comply with the Act, the commissioner shall, subject to the need to safeguard national security, inform the affected individual of the existence of the Investigatory Powers Tribunal, which considers complaints about unauthorised or inappropriate conduct and should enable that person effectively to engage the tribunal.
Subject to Parliament’s approval, both codes and the provisions of Part 3 will commence on 1 October. Arrangements for delivering briefings to practitioners and other interested parties on the detail of the new provisions and the codes are being planned.
The primary responsibility for any democratic state is to protect its citizens, whether from the threats posed to us all by terrorism or from the threats posed to our most vulnerable citizens by sexual predators. It is right that in so doing the Government strike the right balance between the rights of communities and those of individuals. The guidance in both codes of practice does just that. I beg to move.
Moved, That the Grand Committee do report to the House that it has considered the Regulation of Investigatory Powers (Investigation of Protected Electronic Information: Code of Practice) Order 2007. 19th report from the Statutory Instruments Committee.—(Lord Bassam of Brighton.)
I am grateful to the Minister for that comprehensive explanation of the two orders, and the remarks with which he finished about the increasing sophistication of terrorists and of the criminal fraternity in general. I am pleased to hear that there was extensive consultation on both orders, and we welcome the safeguards provided under both the codes: first, the Interception of Communications Commissioner and, then, a further appeal to the Investigatory Powers Tribunal.
In the second order the controls on public authorities to ensure that the use of the powers is undertaken appropriately and in compliance with the requirements and principles of Part 3 and the code of practice are, again, reassuring. I am grateful to the Minister for recognising the question of the burden of proof, on which we are reassured. We have no objections to either order.
I thank the Minister for his detailed explanation of the safeguards included in this provision. I have five areas of concern.
First, there is the secrecy requirement. Paragraph 10.8 of the code of practice details the possible provision mandating that the person to whom a Section 49 notice is delivered keeps the existence of the notice secret. The enactment of such a secrecy provision, in combination with the fact that an individual may be ordered to disclose encryption keys to which he has access with a business or personal associate, means that authorities might be able to encrypt an individual’s information without their knowledge.
Secondly, paragraph 3.19 notes that encryption key material can be retained in the memory of an individual. The Minister explained at some length how the provision would work. Paragraph 10.5 states that if an individual provides evidence to the effect that he or she does not have possession of the key, the burden is on the prosecutor to prove the contrary beyond reasonable doubt, but it is unclear how that would work in the case of memorised passwords.
Thirdly, the sentencing guidelines seem to provide some bizarre incentives. Paragraph 10.2 lays out the penalties for failure to comply with an order: a maximum of two years’ imprisonment in most cases, rising to five years in national security cases. However, if an individual were in possession of an encryption key that would reveal their involvement in, say, a terrorist plot or other crimes such as child pornography, they would get off far easier by refusing to give the key and going to prison for non-compliance than they would by revealing the evidence of their other crimes.
Fourthly, the penalties for the abuse of power under Part 3 of RIPA need to be laid out. At present, only failure to protect disclosed information is covered, but there is a danger that public authorities will misuse their investigative power, and that remains unaddressed.
Finally, no mention is made of the need to protect the confidentiality of financial services. I refer to paragraphs 6.8 to 6.9. There are concerns that, if a bank is required to disclose keys that enable investigators to track the flow of money into and out of suspect bank accounts, the same data could be used to monitor other accounts. It would be helpful if the Minister could give his observations on the five points I have raised.
I am grateful to both noble Lords, particularly the noble Viscount, Lord Bridgeman, for his helpful observations. We have had fairly widespread support for both orders, and from wider than the usual suspects. We have had very welcome support from Liberty, which now thinks it wise to implement these powers and that they are actually quite helpful in the protections that they offer for the benefit of people who may be affected. This broad welcome was reflected in noble Lords’ comments today.
The noble Lord, Lord Dholakia, understandably sought reassurance on points relating to the second order. I am not sure that I shall be able to answer all his questions this afternoon—
I shall happily give what assurances I can this afternoon, but I am more than happy to write to the noble Lord on some of the more detailed points.
The noble Lord asked how the powers would operate with regard to a memorised key. In reality, it would not work that way, as even hardened paedophiles write down their passwords. They suffer from the same memory problems as all of us.
The noble Lord made the point that an offender could take a two-year penalty rather than a longer one for disclosing information. I recognised that in my comments, but we shall have to see how this works in practice. If there is a problem, we will more than happily reflect on it and, if we have to, bring it back—in that case I am sure that we would want to amend the legislation to make it more effective.
We can give the assurance that confidentiality is an issue for us and, where it is right, it must be respected. That is how we should operate.
I shall reflect some more on at least one of the noble Lord’s other two points and write to him. With regard to bank keys, to restate the obvious, the point is to acquire data in an intelligible form, not the keys themselves. The financial services are expected to disclose intelligible data, not the keys, and the Financial Services Authority has to agree before that will happen. I made that clear in my opening comments, but I shall reiterate it because it probably answers the noble Lord’s point.
I hope that the orders find favour with the Committee.
On Question, Motion agreed to.