I shall of course reflect on those points, which I was already aware of. It is important to emphasise that any encryption arrangements that a communications service provider has not itself applied, or had applied on its behalf, would almost inevitably fall outside these provisions because it would not be reasonably practicable for the company to de-encrypt. Many of the biggest companies in the world rely on strong encryption to provide safe and secure communications and e-commerce, but nevertheless retain the ability to access the contents of their users’ communications for their own business purposes—and, indeed, those companies’ reputations rest on their ability to protect their users’ data. In many cases, we are not asking companies to do something that they would not do in the normal course of their business, but I note what the noble Lord has said.
Amendment 93 deals with the subject of end-to-end encryption more specifically. This matter was discussed in detail in another place, so I will reiterate what was said there to explain why this is not an appropriate amendment. I have already outlined the strict safeguards that will apply. This amendment is not necessary because the Bill makes absolutely clear that a telecommunications operator would not be obligated to remove encryption where it is not reasonably practicable for it to do so. It is important to highlight that the amendment would in many cases prevent our law enforcement and security and intelligence agencies from being able to work constructively with telecommunications operators as technology develops to ensure that they can access the content of terrorists’ and criminals’ communications. Depending on the individual company and circumstances of the case, it may be entirely sensible for the Government to work with them to determine whether it would be reasonably practicable to take steps to develop and maintain a technical capability to remove encryption that has been applied to communications or data. But the amendment would signpost to terrorists and criminals that there are communications services they can use to communicate with each other unimpeded and which the authorities will never be able to access. That cannot be right.
Amendments 108 and 109 propose changes to Clause 230, which provides for a telecommunications or postal operator to request a review by the Secretary
of State of the obligations imposed on it by a technical capability notice or a national security notice. The Secretary of State must seek the views of the Technical Advisory Board—a group of experts drawn from the telecommunications operators and the intercepting agencies—and the Investigatory Powers Commissioner before deciding the review.
Amendment 109 seeks to insert the double-lock authorisation process into that review. I contend that this is unnecessary. The Government have an amendment which provides that the Secretary of State must initially consult the judicial commissioner on proportionality, and that the Secretary of State’s decision following the review must be approved by the Investigatory Powers Commissioner. As I have explained, if after consulting the commissioner and the Technical Advisory Board, the Secretary of State decides to confirm the effect of a notice or vary it, the Investigatory Powers Commissioner must approve that decision, so the amendment is not required.
Amendment 108 seeks to require the Technical Advisory Board to consider the consequences for others likely to be affected by obligations imposed by a notice. This proposal was first raised in the other place and, following discussion, considered to be unnecessary. I will briefly explain why. First, the Technical Advisory Board has a very specific role to play in advising the Secretary of State on cost and technical grounds. This role is reflected in its membership. Board members are drawn from the telecommunications industry and those persons entitled to apply for warrants and authorisations under the Bill. These experts are well placed to consider the technical requirements and the specific financial consequences of the notice. If they consider it appropriate, they may look beyond cost and technical feasibility, but those factors are rightly their focus.
The responsibility for considering the broader effect of the notice on the operator to whom it has been given sits with the judicial commissioner, and it is right that the commissioner has this role. As part of any review into the obligations set out in a notice, the commissioner must report on their proportionality. This would include an assessment of its consequences, both for the person seeking the review and for anyone else affected by it. Furthermore, the clause requires the commissioner to seek out the views of the person who has received the notice. The person will have an opportunity to raise any concerns regarding the effect of the notice with the commissioner for consideration, and the commissioner must report his or her conclusions to the person and the Secretary of State. In my view, and as concluded following discussion in the other place, the Investigatory Powers Commissioner is rightly placed to carefully assess proportionality as a whole. The amended wording would introduce unnecessary duplication and ambiguity over what the board and Investigatory Powers Commissioner are each considering.
Finally, allow me to turn to another part of the Bill. I welcome the intent of Amendment 129, which seeks to clarify the scope of the restrictions on the acquisition of internet connection records. The clarity that noble Lords intend to create with this amendment is already provided in the code of practice, and I hope I can reassure noble Lords that there are good reasons why this definition should not appear in the Bill. The Bill
already contains definitions of “telecommunications service” and “communication” which make very clear that a communication can include messages between individuals, between individuals and machines, and between machines. This maintains the existing position in RIPA, and it is absolutely right that the powers and, indeed, safeguards in this Bill apply to all forms of communication.
Taken in its broadest sense an “internet communications service” is simply a telecommunications service that involves communication over the internet and it should rightly include all forms of internet communication. But in the context of internet connection records the term is used to mean services that facilitate communications between two or more individuals, like email or social networking websites. An “internet service”, by contrast, is any other communication service a person could connect to over the internet, including person to machine communications, such as a person accessing a website. This distinction is made clear in the code of practice, which is the appropriate place for it because the definition has a different meaning in other contexts in the Bill.
I hope that noble Lords will be reassured that the definition is contained in the code of practice. We are concerned that defining “internet communications service” on the face of the Bill in the way proposed could cast doubt on the scope of the Bill in so far as it applies to internet communication services more generally. For all the reasons that I have set out, I ask noble Lords not to press their amendments.
7.30 pm