As I know from my time in government, one of the greatest tools in going after precisely the perpetrators of such heinous crimes is matching the devices they use to them through IP addresses. That is why we passed legislation—the unfortunately acronymed DRIPA—which is being challenged in court by other Members of this House right now. It is also why, as I will explain in a minute, there are much more effective ways of achieving that objective than having a great dragnet, which is being advocated in the Bill.
Internet connection records, or ICRs, are my principal concern. We have been here so many times before—in 2008, 2009 and 2012. I cannot think of another proposal in Whitehall that has been so consistently championed, not, I should stress, by the police and the intelligence services, whose punctiliousness, scrupulousness and expertise I admire as much as anyone else, but by the Home Office, despite its failing to convince successive Governments. That is not the way that policy ought to be made.
The Home Secretary said that ICRs are significantly different from weblogs. The only differences that I can see are the exclusion of third-party data, welcome though that is, and the addition of some restrictions on the purposes for which the data can be accessed, although I note that some of those restrictions have now been relaxed again in clause 54 of the new Bill.
In terms of collection and retention, the scheme is the same—the name might be different, but the scheme is the same. Service providers will be required to keep records of every communication that takes place on their networks, and of potentially every click and swipe
where there is an exchange of data between someone’s device and a remote server, for 12 months. It is the equivalent to someone in the days of steaming open letters keeping every front cover of every envelope from across the whole country stored in some great warehouse somewhere for 12 full months. It did not happen then, and it should not happen now.
The implication of this is very big indeed: it is that the Government believe, as a matter of principle, that every innocent act of communication online must leave a trace for future possible interrogation by the state. No other country in the world feels the need to do this, apart from Russia. Denmark tried something similar, as was referred to earlier, but abandoned it because the authorities were drowning, of course, in useless data, as they would have drowned in useless envelopes many years ago if they had tried this then. Australia considered it, but the police themselves said it was disproportionate. Many European countries, interestingly, have recently gone exactly the other way, relinquishing data retention powers following the ruling of the European Court of Justice in the so-called Digital Rights Ireland case in 2014.
At the request of David Anderson, QC, the Home Office has produced a so-called operational case for internet connection records, which we can all read. I would suggest that students of politics and government would do well to study that document, which is a model exercise in retro-fitting evidence to a predetermined policy. Naturally, it sets out how these data could be useful to the police and intelligence agencies. What it does not do, but should do, is to start from the operational need, where a lack of data is obstructing criminal investigations, and explore different options for meeting that need, while balancing the twin requirements of security and privacy.
It is simply false to claim that this dragnet approach is the only way to provide the Government with better tools to go after criminals and terrorists online. For example, as I said earlier, we could incentivise companies to move to the new industry standard for IP addresses at a much faster rate. That might sound terribly technical, but it is important, because our doing so would, at a stroke, go a long way towards solving the key problem of how to tie IP addresses on individual devices to suspects, which is one of the principal purposes of this Bill.
During my time in government, I saw very little sign that the Home Office had devoted any serious consideration to alternatives to ICRs. As the operational case illustrates, that is because this is not a case of evidence-based policy but of policy-based evidence. On top of that, we still do not know how it will actually work and how it would be defined. The Internet Service Providers Association states in its briefing for this debate:
“In its attempt to future-proof the Bill, the Home Office has opted to define many of the key areas in such a way that our members”—
these are the experts—
“still find it difficult to understand what the implications would be for them.”
The costs of ICRs are also unclear. The Government’s estimate is just over £170 million over 10 years, but the Internet Service Providers Association says that it does “not recognise” that figure, and BT has said that it believes the costs will be significantly higher.
Internet connection records are at the heart of this Bill. They are not just a technicality: they are principally at the heart of what information is stored on all of us for long periods by the Government in our name. This dragnet approach will put us completely out of step with the international community, there are practical problems with the proposal, and the terms used in the Bill are still unclear. That is why I urge Members in all parts of the House to properly scrutinise this far-reaching and poorly evidenced proposal, and to withhold parliamentary consent for such a sweeping power until the questions that I and others have raised are properly addressed.
3.52 pm