My Lords, a number of amendments here separately seek to remove the encryption provisions from Part 9 or propose modifications to them.
I will begin with Amendments 92, 102 and 103, which propose removing the encryption provisions from Clauses 226 and 228. If these are anything other than probing amendments, I have to say that they are an irresponsible proposals, which would remove the
Government’s ability to give a technical capability notice to telecommunications operators requiring them to remove encryption from the communications of criminals, terrorists and foreign spies. This is a vital power, without which the ability of the police and intelligence agencies to intercept communications in an intelligible form would be considerably diluted.
Let me be clear: the Government recognise the importance of encryption. Encryption keeps people’s personal data and intellectual property secure and ensures safe online commerce. The Government work closely with industry and businesses to improve their cybersecurity. However, law enforcement and the intelligence agencies must retain the ability to require telecommunications operators to remove encryption in limited circumstances—subject to strong controls and safeguards—to address the increasing technical sophistication of those who would seek to do us harm.
Encryption is now almost ubiquitous and is the default setting for most IT products and online services. If we do not provide for access to encrypted communications when it is necessary and proportionate to do so, we must simply accept that there can be areas online beyond the reach of the law, where criminals can go about their business unimpeded and without the risk of detection. That cannot be right.
These provisions simply maintain the current legal position in relation to encryption and go no further. They retain the ability of law enforcement and the security and intelligence agencies to require companies to remove encryption that they have applied, or that has been applied on their behalf, in tightly prescribed circumstances. It would not—and under the Bill could not—be used to ask companies to do anything that it is not reasonably practicable for them to do.
The safeguards that apply to the use of these provisions have been strengthened during the Bill’s passage through Parliament. First, the “double-lock” authorisation process now applies to the giving of notices, which means that a judicial commissioner must approve the Secretary of State’s decision to give a notice. The Secretary of State must also consult the relevant operator before a notice is given. The draft codes of practice, which were published alongside the introduction of the Bill, make clear that should the telecommunications operator have concerns about the reasonableness, cost or technical feasibility of any requirements to be set out in the notice—which includes any obligations relating to the removal of encryption—it should raise them during the consultation process. Furthermore, the new privacy clause in the Bill requires that regard be given by the Secretary of State to the public interest in the integrity and security of telecommunications systems when deciding whether to give a technical capability notice.
7.15 pm
Finally, a telecommunications operator who is given a technical capability notice may refer any aspect of the notice, including obligations relating to the removal of encryption, back to the Secretary of State for a review. In undertaking such a review, the Secretary of State must consult the Technical Advisory Board—a non-departmental public body that includes representatives from industry—about the technical and financial
requirements of the notice, as well as a judicial commissioner about its proportionality. Should the Secretary of State decide to confirm the effect of the notice, the Investigatory Powers Commissioner must approve this decision. All these safeguards combined ensure that an obligation to remove encryption under Part 9 will be subject to very strict controls and may be imposed only where it is reasonably practicable for the relevant operator to comply with that obligation.
I also make absolutely clear that the Bill’s provisions on encryption do not provide for a national security notice to be used to require the removal of encryption. The encryption provisions in Part 9 relate to technical capability notices only. The Bill was amended in the other place to make this clear.
For all the reasons I have outlined, these amendments are unnecessary and undermine the important principle that there should be no guaranteed safe spaces online for terrorists and criminals to communicate.