My Lords, I am grateful to my noble friend for introducing this amendment. I will try to address the key points and then come back to the questions that she and the noble Lord have raised.
To be clear, communications data are the who, where, when and how of a communication, but not its content. They are a vital tool in the investigation of
serious crime, including terrorism, and in safeguarding the public. Gaps in communications data capability are having a serious impact on the ability of law enforcement and the intelligence agencies to carry out their functions. We shall talk about these wider issues in the next group of amendments, but it is significant that communications data have played a very important role in every security service counterterrorism operation over the last decade. The data are used in 95% of serious and organised crime investigations handled by the Crown Prosecution Service. That is what we are talking about at present.
On the point raised by the noble Lord, Lord Rosser, Clause 17(3)(c) contains a statement about what is not data for the purposes of the Bill. I think that that is a legal definition of a web log; so there is specific mention in the Bill of what cannot be accessed under this provision.
However, the provision in the Bill is on the issue of IP addresses. Every internet user is assigned an IP address to ensure that communication service providers know which data should go to which customer and route that accordingly. Addresses are sometimes assigned to a specific device, such as a broadband router located in a home or company. However, as my noble friend Lady Ludford referred to, they are usually shared between multiple users—hundreds or even thousands—and allocated automatically by the provider’s systems. The amendments seek to ensure that the scope of this provision is limited to the retention of data that are required to allow the identification of a user from a public internet protocol address, and I am very pleased that on that principal issue there is not a great deal of difference between us. It is important that this provision goes no further than is absolutely necessary to ensure that communications service providers can be required to retain the data necessary to link the unique attributes of an internet connection to the person or device using that data at any given time.
At this point, I should say to my noble friend Lady Ludford that in essence we are talking here about adding another essential piece of the communications jigsaw. We are not actually saying—and I do not think that anyone is making this claim—that somehow an IP address on its own will be sufficient to identify what has happened. However, alongside other communications data—for instance, other CCTV footage or other surveillance evidence that may be there—this could be helpful in identifying who was where on a particular device and communicated with whom at a particular time.
The noble Lord, Lord Rosser, asked for examples of access data that may be required. An example is port numbers, which are akin to a house number, where an IP address is akin to a postcode. I know that the noble Baroness, Lady Lane-Fox, could probably give us a tutorial on the technical points; I could probably do with one at some point. Other types of data include the MAC address—the identifier of a particular computer—the time, the location and so on. Those are the types of data covered by “or other identifier”, and that is set out in the Explanatory Notes which accompany the legislation and in the addendum to the draft data retention code of practice,
on which the Government have recently consulted. The code of practice sets out very detailed safeguards concerning how data can be collected. The consultation began on 7 December and concluded last week, and we look forward to informing the House of the findings very shortly.
The way in which an internet service provider identifies its individual customers varies from company to company depending on how their systems work. It is therefore important that the legislation is drafted in such a way as to enable us to work with individual communications service providers so that they retain only the data that they need to resolve an IP address. Our ability to do so would be limited by the amendment, which specifies the items of data to be retained in secondary legislation. For that reason, we cannot agree to the amendment.
The amendments seek to ensure that the provision goes no further than IP resolution, and I am able to confirm that the provision is already limited in this way. Clause 17(3), to which I have already referred, defines the data to be retained as data which,
“may be used to identify, or assist in identifying, which internet protocol address, or other identifier, belongs to the sender or recipient of a communication”.
At this point I should say that, although we are talking about the Counter-Terrorism and Security Bill, this provision will be of significant assistance to those who are seeking to tackle, for example, the worrying growth in accessing child sexual exploitation online. That is an important element here.
The noble Lord, Lord Rosser, asked whether the Minister for Security, my honourable friend James Brokenshire, will be writing. The Minister in the Commons dealt with all the salient issues. We of course reflected on the points raised in the debate, but there is nothing that we see as requiring further clarification at this stage.
The noble Lord also asked whether the combination of primary and secondary legislation is confusing. This legislation is accompanied by a retention of communications data revised code of practice for those implementing the legislation. The Government also work closely with communications service providers. This will ensure that there can be no confusion about how the legislation can be applied.
My noble friend Lady Ludford asked whether any consultations with communications service providers have taken place. The answer is yes—probably not at the time that she was talking about, when the Bill was going through the other place, but certainly since then. We regard communications service providers as an integral part of this whole process and we want to work very closely with them.
The noble Lord, Lord Rosser, asked how we define a communication and whether it includes messages sent by social media. Any messages sent over the internet, including via social media platforms, will have associated communications data. That has always been the case under existing legislation. Where those data are generated or processed in the UK by a company subject to the data retention notice, they can be used to resolve an IP address—that is, they can be retained under this Bill. Those data could then be accessed only
where it was necessary and proportionate to do so for a specific investigation. However, that is quite separate from the content of a communication. What was said or written in, for instance, a Facebook message or a FaceTime call could not be retained under the Bill.
Similarly, the Bill ensures that we cannot ask internet access companies to keep a record of internet services that a given user account may have accessed, known as web logs, even where the data could be used to help resolve IP addresses. Any data which cannot be used to identify or assist in identifying the user of an IP address are already outside the scope of this provision. A requirement to retain data may be imposed only where it is necessary and proportionate to do so.
Accordingly, while I agree with the sentiment behind these amendments, I do not agree that they would add to the tightly drafted provisions that we already have. With the explanation that I have given and with my responses to the questions, I hope that I have offered sufficient assurances to noble Lords and that my noble friend will feel able to withdraw the amendment.
4.30 pm