My Lords, I wish to speak to Amendment 156A in my name and that of my noble friend Lady Hamwee. Before doing so, I endorse wholeheartedly what my noble friend Lord Strasburger has just said. The decision of the Advocate-General released today appears very much to add considerable weight to the arguments in favour of Amendment 147A.
Amendment 156A is an amendment to Clause 83, headed, “Powers to require retention of certain data”. It would exclude internet connection records from the types of data that telecommunications operators can be required to store, and, as such, would effectively remove the only new provision—the use of internet connection records—from the Bill.
We believe that such an amendment is necessary for several reasons. Internet connection records do not do what the Government claim they do. They do not provide the police and security services with the internet
equivalent of the communications data they already have—for example, access to mobile phone provider data. It is far more complex than that. At best, internet connection records provide only details of which communications platforms have been used, most of which are based in the United States.
Whether useful communications data can be accessed depends on voluntary co-operation by the American companies, which is unlikely in all but serious cases—for which there is an alternative. Internet connection records may provide leads, but they are difficult, complex and time-consuming to follow up. They fail the necessity test. The security services—MI5, MI6 and GCHQ—say that they do not need internet connection to be stored by telecommunications operators because they have other ways of securing the data that they need. In serious crime cases, GCHQ can, does and will help law enforcement to secure the communications data that the police need without recourse to internet connection records.
Indeed, there is a co-located joint operations cell in which the National Crime Agency and GCHQ have joined forces to tackle online crime—initially child sexual exploitation, but in the future other online crime as well. This information is in the public domain. At Second Reading, when I suggested that law enforcement could use security service powers instead of ICRs, the Minister said:
“But of course that is neither practical nor effective because many of the powers of the security services produce investigative material that is not admissible as evidence in a court of law”.—[Official Report, 27/6/16; cols. 1459-60.]
It would appear that the National Crime Agency and GCHQ agree with me rather than with the noble and learned Lord. Indeed, case studies that I was shown when I visited GCHQ tend to undermine the Minister’s assertion.
We began Committee stage by looking at RUSI’s 10 principles for the intrusion on privacy. I will quote just one, on “necessity”, which states that,
“there should be no other practicable means of achieving the objective”.
Internet connection records fail the necessity test. The National Crime Agency and GCHQ co-operation shows that there is a practical alternative.
4.45 pm
These measures can easily be evaded. Any terrorist or criminal who is the least bit technologically aware can easily and simply avoid giving away any useful communications data derived from internet connection records by using a virtual private network. If you use a VPN, the only internet connection record visible to law-enforcement agencies is the one connection to the secure server operated by the virtual private network provider. If you use a VPN, ICRs will not provide any information about any websites you have visited, or any apps you have used to communicate with other people.
ICRs are unacceptably intrusive on innocent people’s privacy. Those unaware of how to evade internet connection records providing any useful data—there will be a diminishing number of such people as those who are aware seek to make money by publicising VPN services—will have details of every website they
visited and every app they have used over a rolling 12-month period stored by private companies. While the communications data beyond the first page of each website are considered by the Government to be content, even the first page can provide sensitive personal information about the individual, and the time when and place where that webpage was accessed.
If you access the Alcoholics Anonymous website, a domestic violence website or a gender-reassignment website, you immediately reveal sensitive personal information about yourself. If your internet connection records show that you do not use your home internet service during working hours on weekdays, they provide information about you’re your home is unoccupied. Much about your lifestyle, personality and whereabouts can be gleaned from internet connection records.
The storage of internet connection records is a security risk. Technology experts claim that there is no such thing as a totally secure database and that commercial companies should assume that their security systems will be breached.