My Lords, Amendment 247B in my name was triggered by government Amendment 247A, which the Minister just introduced. I want to explain it, because the government amendment is quite late—it has arrived on Report—so we need to look in some detail at what the Government have proposed. The phrasing that has caused so much concern, which the Minister has acknowledged, is that Ofcom will be able to
“remotely access the service provided by the person”.
It is those words—“remotely access”—which are trigger words for anyone who lived through the Snowden disclosures, where everyone was so concerned about remote access by government agencies to precisely the same services we are talking about today: social media services.
5 pm
So I hope the House will forgive me for teasing out why this is important and why we need extensive safeguards. This is non-trivial. If you are out there running a service, the idea of a government agency having remote access to your systems is a big deal, and the fact that this has come so late compounds that fear because it feels like it is being snuck in.
Ofcom, as I am sure it will remind us, is independent, but in the last debate it was referred to as part of the UK Executive. We cannot have it both ways. I see the chairman of Ofcom shaking his head at that, but we have just had a debate at the heart of which was the notion that this part of the UK Executive would give guidance to part of the UK judiciary. What is sauce for the goose is sauce for the gander. Here, the concern is that Ofcom would be seen as part of the UK Executive having remote access to social media services run by independent companies; I think your Lordships can see why that triggers things.
We need to establish in this debate that what the Government have in mind for Ofcom—this independent regulator—is utterly different from what might be the case with, for example, a security service under the terms of investigatory powers legislation. On the face of it, it looks similar, so it is important that, if it is different as the Minister has started, and I think will continue, to argue, we establish exactly why it is different and how we can be confident that is different. Amendment 247B in my name and that of my noble friend was intended to be helpful to the Government as one way of trying to establish why this is different, by placing some limitations on the Bill.
There are two risks inherent in this notion of remote access. The first is that Ofcom is overintrusive. It has an oversight role, but we are not expecting Ofcom to run our social media services; we expect it to oversee social media services that run themselves. Clearly, remote access, if used in an overbearing way, could be excessively intrusive in relation to those services being able to do what they do. In one version of remote access, which I think the Minister has tried to tease out, it is an offline exercise done occasionally to check something in a quasi-academic way; in another form, Ofcom sits there with a dashboard of what is going on in these systems, just as the Government like to do in their own public services with health and other things. Ofcom with a dashboard looking at what is happening in real time is quite different, and I think would be seen as overbearing and excessively intrusive. I hope the Minister will be able to provide further assurances that that is not what they have in mind.
The second risk is that the access is used for purposes other than simply Ofcom’s purposes. I am certainly not a conspiracy theorist and, perhaps unusually in my community of tech people, I quite admire the people who have only first names and live in Cheltenham, because I think what they do does keep us safe. That is what we pay them to do: to be creative and find creative ways to access data under lawful authority, et cetera, fully respecting human rights. I have confidence that those I have met do that and they do a great job; but we pay them to be creative and find access to data, not to put up with barriers. A spy is gonna spy. If they know that there is a form of access to data, of course, their job is to look at whether that would be useful to them.
My understanding—not as a conspiracy theory but as a matter of fact as to how the law works—is that, under investigatory powers rules, they can issue secret warrants, appropriately signed off, to pretty much anyone to access data. The recipients of those warrants have to execute them and, under penalty of prosecution themselves, are not able to tell anyone they received the warrant. Ofcom is not exempt from that. That is a fact, and we should recognise it; so, were Ofcom to receive an appropriate warrant for data, my understanding is that it would not have a way to say no and would not even be able to tell us about it. The best way to protect against that—to protect against temptation for James from Cheltenham, who is doing his job—is to make sure that remote access does not include anything that would be remotely useful to the security services. The way that we will be able to understand that is through transparency.
The Minister began his comments by saying that transparency and accountability were critical, and that maxim also applies here. We also want to protect against Ofcom’s own overreach and against any downstream use of that data. It is essential, therefore, that we understand in quite a lot of detail exactly what this remote access does and does not entail, so we can make our minds up about whether this piece is being used in an appropriate way.
I hope that the Minister can build on assurances which he very helpfully started to give at the beginning of the debate about this information notice process. He said that there was nothing secret about the
information notices. Again, I hope that we can reinforce that any platform that is concerned that remote access that it is being asked to provide is inappropriate can tell us all about it and, as the Minister said, challenge that. I hope also that individual complainants and the harshest critics of the Government and of the security services—and a lot of people in this world worry about these things who, when they read this debate or look at the amendment, will assume the worst—can see exactly what remote access has and has not been made available. Then also I hope that, as individual users—because it is all about our privacy, as social media users of one form or another—we will know that, when we hand our data over to the social media service, which correctly under the terms of this legislation is required to give Ofcom access and keep us safe, we will know exactly what that access entails and that it does not go further than we set out in the legislation.
The transparency piece is critical. Can the Minister say that the information notices in relation to remote access will never be withheld? It is an utterly different world from the investigatory powers world, where there are good reasons where things have to be kept secret. If the Minister can say that in that world nothing is secret about the fact of remote access, and if anybody who has concerns can get the information that they need to understand whether those concerns are genuine, or whether something much more benign is happening, that would be extremely helpful. The Minister mentioned judicial review by platforms. I get that but, if a platform feels that Ofcom, the regulator, is behaving in an overbearing way, I remain a little concerned that judicial review is quite a slow and painful process. As I understand it, it is more about whether it was legally correct to give the order than perhaps whether the substance of the order was appropriate.
We still need to know that the checks and balances are in place. If Ofcom, under a future leadership—I am sure not under its current leadership—were to take it upon itself to want to set up a dashboard to look at what was happening in every social media company in real time, and were taken by that spirit of madness at some future date, I hope that the companies would be able to raise concerns about that, because it is not what we intend to happen in this Bill. I hope that they would be able to do that in a more straightforward process than in a lengthy judicial review.
The Minister has a clear idea of the kind of reassurances that we are looking for. He teased out some of them in his opening comments, and I hope that he can make them even more strongly in his closing remarks.