Days after Britain and the world reeled from the result of the referendum on Britain’s membership of the European Union, it’s back to business as usual for the House of Lords. This week the Investigatory Powers Bill was given its second reading, and it’s interesting to see how their Lordships approached scrutinising the wide-ranging powers of this controversial bill.
The Investigatory Powers Bill is intended to create a comprehensive framework that governs the way police, security and intelligence agencies intercept, store and use personal data. The current provisions are scattered across many different pieces of legislation, and do not always reflect current practice or technology. The bill goes beyond telephone records to include what it defines as internet connection records, a log of visits to websites, and the use of apps such as Apple’s iMessage, and WhatsApp, owned by Facebook.
The bill itself has been subject to substantial scrutiny as it passed through various House of Commons committees – including a joint committee made up of MPs and Lords – and has seen several amendments. To the government’s credit, it has been open to suggestions and as a result the bill garnered cross-party support.
Nevertheless, the bill’s powers pose issues of individual privacy, access to personal data, judicial review, the use of internet connection records, and particularly the practice of bulk interception by security services and the use of strong encryption. The second reading gives an impression of the approach that the Lords will take.
Certainly, those who contributed to Monday’s debate have experience in the activities this bill covers. Many possess considerable knowledge of the workings of the police and security services, have been part of the pre-legislative committees, held senior positions in security services or come from professions and industries that would be affected by the bill. But while this should be reassuring, a few patterns become immediately apparent.
A balancing act
The overriding theme of the members’ contributions was the need to balance the protection of privacy with ensuring national security. Most were supportive of the framework the bill proposed for issuing warrants and for judicial review. Attention was paid specifically to the need to restrict the range of offences that could lead to a data interception warrant being authorised. Suggested in particular from the Labour benches by Lord Richard Rosser and Baroness Dianne Hayter, the initial preference is to limit this to serious crimes.
However, given the backgrounds and experience of many of those contributing to the debate, it’s clear and perhaps concerning that national security concerns, not personal privacy, are the primary factor in making that decision. The Conservative Lord Tom King, a former chair of the Intelligence and Security Committee that oversees the work of MI5, MI6 and GCHQ, relied on a series of statistics on the use of communications data in prosecutions and counter-terrorism activities, before going on to defend the general sensibility and honour of those working in the UK’s security services.
The notion that there should be a sound legal basis for reviewing state sanctioned invasion of privacy does not amount to disputing the integrity of security personnel. But given such views are present among the Lords, we can expect to see some serious scrutiny of the argument for the protection of privacy as well as vocal support for the operational requirements of the relevant agencies.
The collection of internet connection records and bulk interception of data received a decidedly mixed response. The plans would require ISPs to store web access records for each individual internet user, recording the domain visited and time of access (among other data to be confirmed).
Some lords compared this to telephone call records, but Liberal Democrat Lord Ken MacDonald, addressing broader privacy concerns, pointed out that recording web activity could reveal intimate personal data, granting knowledge of “people’s lifestyles, beliefs, sexual practices, health and perfectly legal secrets”. There’s likely to be debate on this topic and amendments to the bill, especially given the doubts expressed toward the arguments for collecting internet connection records. As Liberal Democrat Lord Jonathan Oates said:
The government have not approached the issue by demonstrating where a lack of data is obstructing criminal investigations and then exploring how to tackle it … that is not evidence-based policy-making; it is policy-based evidence making and we should not accept it unless we have some much better answers.
Perhaps the most concerning aspect was the lack of discussion about encryption. The issue was raised only by the Liberal Democrat Lord Paul Strasburger, and briefly dismissed in the concluding remarks of Conservative Lord Richard Keen. The bill as it currently stands places an obligation on service operators to provide access to encrypted data in its decrypted form “where reasonable”. This might require companies to redesign their communication applications, sacrificing the privacy of their users.
This fundamentally undermines the point of encryption, and the implications for industries that rely on the safeguards strong encryption provides, such as shopping, finance and banking, requires very careful consideration – but in light of their Lordships’ discussions so far that seems unlikely at this stage.