Question proposed, That the clause stand part of the Bill.
The Chairman: With this it will be convenient to discuss new clause 3-Provision of alternative key-
In some ways, the new clause is a technical measure. However, considerable concern has been expressed to me by business and those who use the internet that it may not be possible to provide a session key that would open the lock to the protected information. It might be the view of the authorities that a more general key should be provided. The situation was described to me by an internet user as being like keys to a hotel: the key to the front door opens the entire hotel, there is the master key for a particular floor and there are keys to the doors of particular rooms. If the authorities can ask for the key to the entire hotel, would it be possible for a compliant receiver of the notice to provide the key to the door-the session key? I should be interested to hear the Minister's views on that, as it has a relationship to the definitions of keys later in the Bill.
Mr. Richard Allan (Sheffield, Hallam): We wish to raise another issue in the clause stand part debate, although we recognise the merit of new clause 3.
I shall follow on from the hotel analogy of the hon. Member for North-East Hertfordshire (Mr. Heald). The key would be a credit-card-type key that is set up for only the period in which a person is staying in the hotel. When the person leaves, his contractual obligations in respect of having access to the room would end. Will the Minister allow a situation whereby an individual can revoke his key? Clearly, when the law comes into force, individuals will be aware of its provisions, and when they finish particular work they may wish to say that they no longer have any such responsibility for such data-in other words, they have checked out of the hotel.
In those circumstances, it would be useful to have a system supplied by the commercial provider or the cryptography assistant whereby an individual can formally revoke the possession of the key to make it clear that he does not have it. In the context of clause 47 and disclosing information in place of the key, one may wish to have a system whereby the agency that is requesting access to data would accept a revocation certificate in which the individual, because he has taken action in the past as part of ordinary business, can make it clear that he no longer has possession of the key. If people have certain access to data, it is usual practice in business when an individual leaves to ensure that he no longer has access to either the computer system or to data. Businesses may wish to have a formal arrangement under which it specifies that the individual is out of the encryption loop from that point onwards.
Has the Minister considered such a provision? Is there scope in the disclosure of information provisions for an individual to disclose a revocation certificate rather than a key itself? The police or those who have responsibility for such matters could ask the current occupier of the room for the key, which they will be able to use contractually and provide to the investigating authorities.
The Minister of State, Home Office (Mr. Charles Clark): I understand what the new clause is trying to achieve, but we believe that that is unnecessary. It is up to the party who is served with a decryption notice to decide what type of decryption key to disclose. If there is more than one that enables protected data to be put into an intelligible form, it is up to those who are disclosing to decide which key to use. In most circumstances, it will be up to the party to decide whether to hand over a key or plaintext. We expect plaintext to be good enough in most circumstances.
Let us consider a scenario in which there must only be a key. The flexibility sought by the new clause exists in the Bill. For example, if a symmetric-or session key-exists that will decrypt the data, the party served with a section 46 notice may prefer to disclose that rather than a private asymmetrical master key. The Bill permits that to happen. Section 46 notes require the disclosure of the key to protected information. I draw the attention of the hon. Member for North-East Hertfordshire to the definition of ``key'' under clause 52(1). It states:
the emphasis is on the word ``any''-
(b) facilitates the putting of data into an intelligible form.
We recognise, for example, that some of the reservations that business may have about disclosing master keys in response to a lawful requirement may not extend to the disclosure of session keys. That is why the Bill permits a choice.
In response to the hon. Member for Sheffield, Hallam (Mr. Allan), nothing in the Bill will stop revocation of the key after it has been disclosed to law enforcement agencies under a section 46 notice. Businesses may choose to do that for reasons of security.
Mr. Clarke: I did not make myself clear. I accept what the hon. Genteleman is saying. I did not mean to suggest that such action could be carried out subsequently. I meant that businesses may be undertaking such a process as a standard routine, irrespective of whether a law enforcement issue arises. I hope that I have clarified the matter and that Opposition Members will withdraw the amendment.
I come not to the clause stand part debate and wish to return to what I said when we debated clause 46. I shall reveal some of our thinking since the Bill was introduced. Clause 47 provides that, in responding to a decryption notice, a person may deliver up an intelligible version of relevant protected data-plaintext-rather than a decryption key, for example. The exception to that is when a notice contains a direction where only the disclosure of a key is sufficient. That is limited to occasions when imposing such a requirement is believed to be proportionate to what is sought to be achieved by doing so.
We have received many representations from the industry and members of the Committee. We believe that the position set out in the Bill is clear. However, I acknowledge that genuine concerns have been raised about the situation, and I hope that I can offer some comfort to those who have brought such matters to my attention. Many in industry have no difficulty with the principle of handing over intelligible data when they were required to do so under some lawful authority. However, they have some worries about handing over the keys. We have discussed whether those concerns are founded but, as we are constantly reminded, and acecpt, the perception of the use of the powers under the Bill is as important as the reality, because we want to develop co-operation, not to impose the provisions.
As I said on Second Reading, we envisage that the disclosure of the plaintext of protected material, rather than a key, will be sufficient in almost all cases in response to a decryption notice, and I expect that the disclosure of the keys themselves will be required in very few cases. However, our bottom line continues to be that we must retain the flexibility in the Bill to request the disclosure of the key itself in exceptional circumstances.
I use the word ``exceptional'' advisedly, for reasons that relate to the use of the word ``reasonable'', to which the hon. Member for Esher and Walton (Mr. Taylor) referred. I am considering whether to make it clear in the Bill that demanding the key itself should be an exceptional step. We would include guidance in the code of practice on those exceptional circumstances. Those circumstances could include cases in which timeliness is an issue and the plaintext would take longer to produce than a key; in which trust is an issue and the person who hands over the key might not be reliable, so chains of evidence must be protected; or in which security is an issue.
We might consider amending the Bill to allow insistence on producing the key only exceptionally and to state what might be exceptional in the code of practice. We might go further and specify that decisions on what is excepted may be escalated to the highest level, so that the Secretary of State or a chief constable, possibly with the approval of a surveillance commissioner or circuit judge if appropriate, would decide whether a circumstance was exceptional according to the code of practice. Obviously, that would set a higher test in the authority regimes than is currently envisaged under the Bill. I cannot table such an amendment now, but the Committee will want to know that I am considering those matters and that we intend to return to them on Report.
We believe that the Bill is well founded, but we acknowledge that the perception is an important issue as we develop a proper process. Defining the word ``exceptional'', including it in the code of practice and involving a higher authority-the Secretary of State or a chief constable-may give comfort to the industry; it would provide more of a guarantee that keys could not be sought improperly. I should be interested to hear any comment that members of the Committee might like to make on my proposals. The clause should stand part of the Bill, and I urge the hon. Member for North-East Hertfordshire not to press new clause 3 to vote for the reasons that I have mentioned.
Mr. Heald: The Minister probably gets nine out of 10. [Hon. Members: ``Ten out of 10.''] I never give 10 out of 10.
Mr. Clarke: There are always a few caveats.
Mr. Heald: Indeed. It is right and helpful that the Minister explained the defintion of the phrase ``and key'' and how he envisages its use. Under the doctrine of Pepper v. Hart, that definition is acceptable for use in any court proceedings.
The Minister's suggestion that a key should be disclosed only in exceptional circumstances is welcome. Again, it meets many of the concerns that industry has expressed. Clearly, we want to examine the detail of the guidance on timeliness, trust and security, but, given what the Minister has said, I shall not press new clause 3 to a vote.
Question put and agreed to.
Clause 47 ordered to stand part of the Bill.
Question proposed, That the clause stand part of the Bill.
Mr. Heald: This clause deals with the Secretary of State's duty to ensure that arrangements are put in place to authorise contributions towards the costs of complying with notices. Several people in industry have said that substantial costs can be involved. They would like me to ask whether the Government have realised that complying with the warrant could involve associated costs. It might not be immediately apparent that, apart from the actual costs of complying, changing existing systems to comply with the Bill could involve large costs. The disclosure of keys could involve firms in consequential costs to preserve confidentiality. Has the Minister taken those matters into account? How will such contributions be made?
Mr. Allan: I support the comments made by the hon. Member for North-East Hertfordshire. The wording used in the clause is similar to that used in clause 23, which places a duty on the Secretary of State to ensure that similar arrangements are in place. I remind the Minister that he undertook to consider such matters in the debate on clause 13, which involves a series of money resolutions. We are much happier with the wording used in clause 48 because, although it is similar to that in clause 23, the use of the word ``shall'' ensures that the Secretary of State will have a duty to make such payments. Subsection (2), which is italicised, deals with the payments separately from that duty.
Mr. Charles Clarke: I want to devote a moment to this important issue, which has been raised in various ways. As has been said, the clause will allow compensation to be paid to those who are required to disclose information following the serving of a written notice under clause 46. Questions about costs are difficult to answer in abstract; several factors will influence the outcome. As I have said, we expect the provision of plaintext to be more than adequate in the majority of cases, so the costs involved would not be significant.
In other cases, the authorities might insist that people provide keys rather than plaintext. In such cases, costs may accrue to individuals or companies, depending on the key demanded. I have seen some hypotheses that assert astronomical costs for companies if certian keys are demanded. I do not envisage that companies will be asked to hand over keys that will compromise the security of all their clients. First, that is unlikely to be proportionate. Secondly, if a large commercial concern can hand over plaintext, I find it hard to imagine that that will not be sufficient. Thirdly, I would expect to find that the agencies would be more than happy with any key-short of the master key-that enables them to read the material involved.
In short, we propose to meet the marginal costs that a business might incur in complying with the requirements of a notice along the lines of the current regime for interception warrants. The clause will allow such payments to be made, which is all that can be legitimately required in legislation. The clause should stand part of the Bill.
Question put and agreed to.
Clause 48 ordered to stand part of the Bill.
Question proposed, That the clause stand part of the Bill.
The Chairman: With this it will be convenient to take the following: New clause 1-Offences-
(a) with intent to impede access to protected information
or the putting of that information into an intelligible form, he fails to
comply, in accordance with any section 46 notice, with a requirement of that
notice to disclose a key to protected information; and
(b) he is a person who has possession of the key.
(2) A person is guilty of an offence if-
(a) he fails to comply, in accordance with any section 46 notice, with a
requirement of that notice to disclose a key to protected information;
(b) he is a person who has had possession of the key, but that key was not
in his possession after the giving of the notice and before the time by which
he was required to disclose it; and
(c) with intent to impede access to protected information or the putting of
that information into an intelligible form, that he did not, before that time,
make a disclosure, to the person to whom he was required to disclose the key,
of all such information in his possession as was required by that person to
enable possession of the key to be obtained.
(3) In proceedings against any person for an offence under this section it
shall be a defence (subject to subsection (4)) for that person to show-
(a) that it was not reasonably practicable for him to make a disclosure of
the key before the time by which he was required to do so;
(b) where the key was not in his possession at that time, that it was not
reasonably practicable for him, before that time, to make such a disclosure as
is mentioned in subsection (2)(c); and
(c) that as soon after that time as it was reasonably practicable for him
to make a disclosure of the key or (if earlier) of sufficient information to
enable possession of the key to be obtained, he made such a disclosure to the
person to whom he was required to disclose the key.
(4) Except in a case where there is no authorisation for the purposes of
section 47, in proceedings for an offence under this section a person shall
have a defence under subsection (3) only if he also shows that it was not
reasonably practicable for him to comply with the requirement in the manner
allowed by that section.
(5) In proceedings against any person for an offence under this section it
shall be a defence for that person to show that-
(a) at all material times he used due diligence to store the key which he
had or had had in his possession; and
(b) that where the key was not in his possession after the giving of the
notice and before the time by which he was required to disclose it, that he
did before that time, make a disclosure to the person to whom he was required
to disclose the key, of all such information to his possession as was required
by that person to enable possession of the key to be obtained.
(6) Where a person is being proceeded against for an offence under this
section, then at any stage of the proceedings, if evidence has been given of
his having failed to comply with any requirement of a section 46 notice to
disclose a key to protected information, the following evidence shall be
admissible for the purpose of proving that he had an intention to impede
access to protected information or the putting of that information into an
intelligible form:-
(a) evidence that he has or has had in his possession other information of
value on grounds falling within section 46(3) or likely to be of value for
purposes connected with the exercise or performance by any public authority of
any statutory power or statutory duty; and
(b) provided that seven days notice in writing has been given to him of the
intention to prove the conviction, evidence that he has within the [five]
years preceding the date of the offence charged been convicted of any offence
carrying a maximum sentence on conviction on indictment of five years
imprisonment or more.
(7) A person guilty of an offence under this section shall be liable-
(a) on conviction on indictment, to imprisonment for a term not exceeding
ten years or to a fine, or to both;
(b) on summary conviction, to imprisonment for a term not exceeding six
months or to a fine not exceeding the statutory maximum, or to both.'.
New clause 5-Failure to comply with a notice to disclose a key to protected information-
(a) with intent to impede access to protected information
or the putting of that information into an intelligible form, he fails to
comply in accordance with a section 46 notice with a requirement of that
notice to disclose a key to protected information;
(b) there are reasonable grounds for believing that possession of the key
is necessary to obtain access to the protected information or the putting of
that information into an intelligible form; and
(c) he is a person who has, or who after the giving of the notice and
before the time by which he was required to disclose the key had, possession
of the key.
(2) A person is guilty of an offence if-
(a) he fails to comply in accordance with a section 46 notice with a
requirement of that notice to disclose a key to protected information;
(b) there are reasonable grounds for believing that possession of the key
is necessary to obtain access to the protected information or the putting of
that information into an intelligible form;
(c) he is a person:
(i) who has had possession of the key; and
(ii) who has, or who after the giving of the notice and before the time by
which he was required to disclose the key had, possession of information which
would (either on its own or in combination with other information) enable
possession of the key to be obtained; and
(d) with intent to impede access to protected information or the putting of
that information into an intelligible form, he did not before the time by
which he was required to disclose the key, make a disclosure to the person to
whom he was required to disclose the key of all such information in his
possession which would (either on its own or in combination with other
information) enable possession of the key to be obtained.
(3) In proceedings against any person for an offence under this section it
shall be a defence for that person to show:
(a) in the case of an offence under subsection (1), that it was not
reasonably practicable for him to make a disclosure of the key before the time
by which he was required to do so;
(b) in the case of an offence under subsection (2), that it was not
reasonably practicable for him, before the time by which he was required to
disclose the key, to make such a disclosure as is mentioned in subsection
2(d); and
(c) where in either case it has since that time become reasonably
practicable for him to make a disclosure of the key or information which would
(either on its own or in combination with other information) enable possession
of the key to be obtained, he has made such a disclosure to the person to whom
he was required to disclose the key.
(4) Except in a case where there is no authorisation for the purposes of
section 47, in proceedings for an offence under this section a person shall
have a defence under subsection (3) only if he also shows that it was not
reasonably practicable for him to comply with the requirement in the manner
allowed by that section.
(5) A person guilty of an offence under this section shall be liable;
(a) on conviction on indictment, to imprisonment for a term not exceeding
two years or to a fine, or to both;
(b) on summary conviction, to imprisonment for a term not exceeding six
months or to a fine not exceeding the statutory maximum, or to both.'.
I understand that, with this group, the Committee is happy to discuss new clause 4-Powers of entry, search and seizure-
(a) there is on any premises a key to cryptographic product
which when applied will give access to protected information in an
intelligible form; and
(b) protected information has not already been provided in an intelligible
form, in compliance with a request to disclose a key under the provisions of
section 47 above; and
(c) any of the conditions set out in subsection (3) below is fulfilled;
he may issue a warrant authorising the person with the appropriate
permission to give a section 46 notice, and any other person specified on the
warrant, to enter and search the premises and any person found on those
premises, for the purposes of recovering a key.
(2) The appropriately authorised person may seize and
retain anything for which a search has been authorised under subsection (1)
above.
(3) The conditions mentioned in subsection (1)(c) above are;
(a) that it is not practicable to communicate with any person entitled to
grant entry to the premises;
(b) that it is practicable to communicate with a person entitled to grant
entry to the premises but it is not practicable to communicate with any person
entitled to grant access to the key;
(c) that entry to the premises would not be granted unless a warrant is
produced;
(d) that the purpose of a search may be frustrated or seriously prejudiced
unless an appropriately authorised person arriving at the premises can secure
immediate entry to them.
(4) The power to issue a warrant conferred by this section is in addition
to any such power otherwise conferred.'.
Mr. Heald: Clause 49 is an important clause, as has been apparent throughout our debates. Justice and the Foundation for Information Policy Research have provided the Committee with a barrister's opinion from Tim Eicke. On 23 March, I suggested to the Minister that it might be helpful if a Law Officer could attend the debate, but I understand that that will not occur.
The importance of encryption should not be understated; it is not important just because criminals use it. The main use of encryption is to preserve business and personal secrets on-line. If a person's secret key were passed to a third party, all the data under that key would be compromised. I understand the Minister's good intentions, but he will understand that handing over a key is not considered a trivial exercise by those who have them. There is concern about the potential liabilities for companies and individuals if they lose control over their private key. Some have described it as an incalculable loss of control. Others are obviously very worred about it.
This issue forms a nexus between the three requirements in the Bill: the need to provide crime fighters with the necessary powers to fight some of the foul trades that are perpetrated by criminals, the need to protect the individual and the need not to overburden business. In the past, the Labour party took a rather different view of encryption. In its 1995 policy paper ``Communicating Britain's Future'' it stated:
I hope that the Minister accepts that Labour party thinking in 1995 reflected the seriousness of requiring a key to be given up. At that time, the Labour party was prepared to contemplate it only under judicial warrant. That has clearly changed.
Clause 49 creates the offence of failing to comply with a notice under clause 46 to produce a key or a plaintext. It is a highly controversial measure for two very different reasons. First, Tim Eicke and other lawyers have described the repugnant nature of the offence created, which requires no guilty intention to ground a conviction. In most offences such a guilty intention is required. With theft, for example, the prosecutor has to prove that the person has acted dishonestly and has that intention or mental state. To prove murder, one must prove that the person intended at least to cause grievous bodily harm. Here all that has to be proved is that a notice has been served, that the person has or had the key, and that he has not complied with the notice.
As Tim Eicke points out,
He refers to the views expressed by the Lord Chief Justice in the case ex parte Kebeline in 1999, which was dealt with at divisional court level. He also referred to a Canadian case, Regina v. Whyte, which has a persuasive authority in this country as it is from another common law jurisdiction with English law as its base. Chief Justice Dickson said:
He went on to point out that there are other possible infringements of privilege against self-incrimination and a perverse incentive not to admit to ownership of a key.
The prosecution could prove facts that are entirely neutral about whether the person has any guilty intention. A person who has not complied with a notice but has had the key may have simply discarded the key or forgotten it. Keys are often discarded for sensible security reasons. The worry is that the burden of proof will be reversed for the defences in the clause. A person is being asked to prove something, whereas the prosecution need only prove facts that are entirely neutral as between guilt and innocence.
The other reason for the controversy surrounding the clause, which was touched on by my hon. Friend the Member for Mole Valley (Sir P. Beresford) on Second Reading, is reinforced by the submission from the children's organisations. Under the heading ``Support the clauses or make them tougher'' they conclude:
There is concern that the real criminal will either use the techniques described by the hon. Member for Hallam this morning, which make any investigation extremely difficult, or will settle for the lesser offence in clause 49 for fear that if he provided the key and the information became available in an intelligible form, he or his associates may be found guilty of a much more serious offence.
New clause 1 attempts to wrestle with those issues. It would introduce a guilty intent: the prosecution would have to prove that the person intended to impede access to protected information or its being put into intelligible form. It is slightly differently configured because it creates two offences. The first involves a person with a key who fails to comply and has that intention. The second involves failure to comply when he has had the key but not during the currency of the notice, and he fails to make a disclosure of all the information required to enable the key to be obtained and has that intention.
It would be necessary to prove a mental state-a mens rea-as in most offences. It would put the burden much more squarely on the prosecution. It would still leave intact the defence in subsection (3) of making disclosure as soon as is reasonably practicable, but would introduce a new defence of due diligence in storing the key and disclosure during the notice period. In order to be tough on the genuine criminal and to ensure that that guilty intention can be proved, it would allow evidence of other information of value in his possession, or of his previous convictions, to be used to prove a guilty intention. That is not unprecedented.
Handlers of stolen goods never admit that they know that the goods are stolen, particularly if they are professional. Proving guilty knowledge has been a problem over the years. One way that it can be done is under section 27 of the Theft Act 1968, which refers to their previous convictions and other evidence. That is the precedent that I have followed. I shall be interested to hear what the Minister has to say about it. It is an attempt to target the offence much more on the serious criminal, instead of the present unsatisfactory situation in which an innocent person has a substantial burden to prove his innocence.
New clause 1 would also toughen the penalty to 10 years' imprisonment to deal with the trap that might lead an individual to settle for the lesser sentence under clause 49. The urpose is to make it easier for the defendant who is innocent, while ensuring that the guilty person is properly punished. It also removes the perverse incentive to accept the offence. It tries to avoid problems by introducing a more satisfctory focus.
Will the Minister confirm that it would also have the benefit of making the offence arrestable, which would have the added advantage of providing powers of search in relation to the offence, which the police would welcome? I shall give an example to the kind of problem that I want to tackle. The Cabinet Office performance and innovation report in 1995 cited a case in that year in which two suspected paedophiles were arrested by police in the UK on suspicion of distribution child pornography on the internet. Their computer systems were found to contain pornographic images of children, and, in the case of the leading suspect, a large amount of encrypted material. The indications were that the suspects had used encrypted communications to distribute child pornography to contacts around the world via e-mail. Although both paedophiles were subsequently convicted of distributing child pornography, the police investigation was hampered by the suspect's use of encryption. Under the offence that I have drafted, the evidence of children's images on the computer could be used to prove the state of mind that is required for the new offence under new clause 1. Arguably, that would make it likely that the person concerned would be found guilty of the offence with the tougher penalty.
The Minister has been asked many questions about the clause. How will those served with written notices under the current clause, which requires plaintext or encryption keys, successfully show that they cannot comply with the notice? The Trade and Industry Committee asked that question in its 14th report on 26 October last year. Caspar Bowden, of the Foundation for Information Policy Research, asked how it was possible to prove, on the balance of probabilities, that a key has been lost or forgotten. I should be grateful if the Minister would answer that.
I expect the Minister to say that the burden of proof has not been reversed. He may argue that, because certain things must be proved, there is a burden on the prosecution. He may say that it will be necessary to prove service, non-compliance and that the person has or has had the key. All those, however, are equally consistent with a guilty and a not guilty intention. Will the Minister accept that there is a burden on the accused to establish innocence, against a background of the prosecution proving neutral facts?
Another question is whether the notice, and therefore the offence, is compliant with the European convention on human rights. Will the Minister flesh out his views on that? Much in the Tim Eicke opinion suggests that it might not be. The Minister may say that the courts will decide whether it is reasonable for a person to have lost his key. Will he accept that they will decide that only on the basis that the defendant must prove it? Usually, if there is a reasonable doubt, the accused is entitled to be acquitted.
The Minister may say that, according to the Kebeline case, not all reverse burdens are incompatible with the European convention on human rights. I challenge the Minister on that because their lordships expressly left the question to be decided by the trial judge in subsequent appeals. I should be grateful if the hon. Gentleman would confirm that the Kebeline decision does not mean that the courts have decided that all reverse burdens are not incompatible with the European convention on human rights.
The Minister may also say that many criminal offences place a burden on the defendant. If the Minister has studied those cases, he may agree that they are either restricted to the type of terrorist cases in Kebeline in which a person had documents in his possession and there was a reasonable suspicion that they might be used for terrorist purposes-very specialist examples-or minor offences such as failing to display a tax disc. Most people would accept that it is public policy to ensure that everyone displays a tax disc, and that if someone is convicted he is not likely to be sentenced heavily. Does the hon. Gentleman agree that he is adopting a most unusual procedure, and for that reason it is unsatisfactory?
New clause 4, which the National Criminal Intelligence Service asked me to table, provides for powers of entry, search and seizure to obtain a key. The inclusion of such a power in the Bill would, I am told, be a vital tool in the fight against crime. Investigators are anxious to retain their ability to deal with and make progress on investigations. The power to search for a key would not give investigators new powers, but would provide the means to continue to produce evidence to the courts in the current format prior to the introduction of easily available cryptographic packages.
It is clear that we must embrace new technology. Powers of search provisions always raise civil liberties concerns. However, the new clause makes it clear that the type of protection needed to comply with the European convention on human rights would be in place. For example, the powers of search would be judicially warranted, and would focus on the need to gather and present evidence to allow a full investigation of the original crimes, rather than on an offence under clause 49. So the power would be concentrated much more heavily on the evidence-gathering approach than on forcing a person to unburden himself of a key.
There are also concerns that the system set out in clause 49 will not deal fully with some of the problems that investigators face. The new clause would allow them to facilitate access if there was no one to grant access to the key. Such cases could arise if a keyholder had left the country or simply gone on holiday, making service of a clause 46 notice difficult, if not impossible. In urgent cases it would have serious implications if either the preservation of life was an issue or, as the Minister said in another debate, a large consignment of drugs could be captured. Access to encrypted data could provide information speedily in more serious cases, such as terrorism or kidnapping.
In paedophile cases, a suspect may say that he has lost his key, or refuse to hand it to investigators, knowing that the contents of his files are highly incriminating. NCIS has given me an example: it has been anonymised but the Minister may find it helpful. Mr. Smith was an active paedophile who used e-mail to swap pictures and to arrange meetings with children. One victim was a girl aged five. The police found out about his activities and arrested him. They searched his house and seized the computer.
Under the new regime, if Mr. Smith had been served with a clause 46 notice but refused to assist the police, he would subsequently be charged with the clause 49 offence and would probably plead guilty. The police investigation would go no further because they would not be able to defeat the encryption. However, if the police had a power to search under warrant, they could find Mr. Smith's cryptographic key and trace other child abusers. The advantage of the power to search is that it can be used in circumstances where the section 46-49 process does not of itself succeed.
That also applies in drug dealing cases. An active dealer in heroin who kept details of all his customers and suppliers on his home computer-which apparently dealers do-and arranged drug importation with his contacts using encrypted e-mail would supply smaller dealers and take care never to deal directly with the drugs himself. If the police mounted an operation against him and searched his house and he refused to assist, they would not be able to gain access to his computer files; but if they had power to search with a warrant under the new clause, they might be able to find a cryptographic key at the premises, or other premises, if it had been handed to a third party. I could give other examples. This power would also be useful in benefit fraud cases.
I am sure that the Minister will accept that the power to search is important in certain cases, but that it is not present because a clause 49 offence is not an arrestable offence that would give grounds for an application for a search warrant. I should be grateful if the Minister would consider new clause 4, which NCIS has described as ``vital''. I could go through the various protections in the new clause, which NCIS drafted. The Minister will see that it appears to meet all the usual concerns under the ECHR. Clearly, the usual requirements about evidence and reasonable suspicion would have to be met. That being so, and given the limitations in new clause 4(3) to circumstances in which
unless an authorised person arriving at the premises can secure immediate entry, it is clear that the new clause would add substantial protections. I hope that the Minister will look benignly on it.
Mr. Allan: I shall speak principally to new clause 5, which is our attempt to give the Minister an alternative to his provisions in clause 49 by disposing of some of what we regard as the clause's more difficult aspects. Many of the principal issues were touched on by the hon. Member for North-East Hertfordshire. We seek to establish the mens rea principle: we think that it should be phrased in legislation that an individual who had prevented access to protected information was guilty of an offence if he had intended to impede access. In our view, at the stage at which a criminal prosecution is being brought and a person is before the court faced with a serious criminal offence, proof of intent to block access to data should be one of the steps necessary to establish that an offence has been committed.
We suggest that there should be reasonable grounds for believing that possession of the key was necessary to obtain access to protected information. That goes back to our belief that there should be a direct link between the requirement to provide a key, and the data, if the agency suspects that there is a mischief in the data. There should be a requirement on the prosecution to establish a connection between the agency's request for the key and the individual's failure to provide it.
We suggest also that the offence should be based on the principle of a person having the key after the date at which the notice was issued. We have concerns about the wording of clause 49, which refers to a key having been in an individual's possession at some time in the past. Under all normal circumstances, an individual who uses encrypted data to become actively involved in mischief would have the key-it is hard to imagine why he would not have it. The Government are opening up the scope of the offence by referring to someone having had the key at any point in the past. They are drawing the offence far too widely, and we seek to narrow it down.
We are looking to create a defence in new clauses under which the key or information should be provided only if it is reasonably practical to do so. It is important that we have that practicality element. We have also sought to split the offence in half to cover those individuals, who have the key and those who do not have it but can provide information. Those are two separate issues.
The new clause is intended to probe a range of issues, and we have tabled it to follow up some of the concerns that have been raised-in particular, those on compliance with the European convention on human rights. An attempt is made in clause 49 to reverse the burden of proof. There is clearly a shift, and the individual defendant faces a high hurdle in terms of proving that he did not have access to a key. That is a serious issue in the world of the internet, where information is moved around at an incredible rate between people who are not always willing partners.
People have questioned whether, if someone sends encrypted messages to the Home Secretary, he could be had up in court and required to explain why he did not have the key to decrypt them. We need only look in our e-mail inboxes to see the kind of material that arrives every day. Some of it is not requested, and we have had no part in obtaining it. We have to flag it up under the ``adult contents'' list and consign it to the nether regions of deepest, darkest wherever. However, a comparable situation could arise in the circumstances that we are discussing. Illegal encrypted material, which the authorities properly want to get hold of, could be sent out to innocent parties who never requested it and who have no part in it. One of those individuals could be held up before a court; that is a real possibility.
To return to the paedophile example, an individual who has no part in such matters and who has requested nothing could receive a succession of encrypted paedophile images via e-mail. He has no way of reading them and tries to destroy them. As a normal internet user, he has great difficulty in preventing the material from coming to him. One can imagine a court saying, ``He received e-mails almost daily. We therefore have reasonable grounds for believing that he is part of the paedophile ring. We are requesting that he decrypt the e-mails.'' The person would turn up in court and say, ``I have no decryption key. I have never been able to decrypt them.'' It would be hard for him to prove that, because the circumstances-his being in court-look incriminatory. On the lowest test-the balance of probabilities-an individual who has paedophile imagery in his inbox every day for 10 days, even though he is unable and unwilling to access it, will have difficulties in court.
Mr. Ian Taylor (Esher and Walton): I may be able to assist the hon. Gentleman if he is being spammed with such e-mails. There are techniques that enable the authorities to find out what use has been made of e-mails, such as whether they have gone into the computer or have only been opened and immediately destroyed. A lot of these things will be time-stamped. Technology might provide a defence for the hon. Gentleman's hypothetical person.
Mr. Allan: I am grateful to the hon. Gentleman for that. I hope that we shall provide solutions for individuals in the circumstances that I described. However, I am suggesting that an ordinary user who appears in an ordinary court at present will have received and binned the material and will not necessarily have taken the technical precautions required for his defence. Many users will not be up on the technology. The individual will go before a court, and it will consider the simple fact that the material was present in an encrypted form. The court might not be equipped to go into some of the technical details that the individual requires to establish his defence.
I am trying simply to illustrate the difficulty that an individual might have in proving his innocence under the terms of clause 49 as framed. Individuals may demand from their service providers some of the technology that will provide them with a defence. However, most people being had up in court under clause 49 would be able to demonstrate that they are not guilty of failing to provide a key using the lower burden of proof-the balance of probabilities.
Self-incrimination is another key issue in clause 49 that has been highlighted in the legal opinions that we have been given. Whether an individual can argue that will have to be tested in court, but it is a serious matter under article 6 of the ECHR.
A further point is the structure of how encryption will be used when the Bill comes into force. We have already mentioned commercial operators creating positions in which individuals can defend themselves. When the offences are on the statute book, such defences will be strong. Will the provisions in clause 49 be under threat, or fail to meet the state's objective, if an individual contracts to comply with the notice in subsection (2)(b) requiring him to provide information enabling the authorities to attempt to get possession of the key, but that attempt is thwarted because, for example, the keys are held externally?
Let us suppose that the keys are held outside UK jurisdiction, and an individual tells the authority that a key escrow company called ``Steganographic Solutions Incorporated'' based in the United States holds them. In that case, there is no power to extract the key. What are the potential problems involved in UK agents not providing information in response to a notice issued against them, even though they comply with the notice's requirement to say where the key is? They can honestly say that they do not have the key, but the individual who does is not within UK jurisdiction and cannot be prosecuted under the clause.
Such a key escrow position may develop for the benefit of encryption users who regard key escrow outwith UK jurisdiction as being in their favour. they can honestly say that they are trying to comply, but their compliance is thwarted by the fact that they cannot control an important element of the key provision.
We are anxious about the breadth of the information that may be revealed when an individual is required to produce the key in such a way. Will ancillary information go beyond the proportionality requirement in article 8 of the European convention on human rights? When individuals seek toprove in their defence that they have a range of information stored in their data banks to which the Government have no right of access, will such a defence demonstrate that the actions of the state in issuing the notice and prosecuting individuals is not proportionate?
Finally, I shall deal with the technical aspects of potential problems and examine specific instances. Cases in which a computer goes wrong may cause major problems in that area. Individuals may be tempted to use things going wrong as a defence. Anyone who has tried to compact or compress hard disks using Microsoft software-a topical subject-will find that problems frequently arise when large sections of their hard disk or data are rendered unintelligible and they have no way of getting the original material back.
What may be described as a Windows bug defence could be created, whereby individuals have a strong argument for saying in court that they attempted to use software, only for their hard disk to be currupted, preventing them from accessing the keys or anything on the disk. Has the Minister examined that issue, which the courts-especially those that have tried to use the software-would probably accept as resonable grounds for believing that an individual could no longer access the key?
A range of techniques will be introduced to organise the defence against clause 49, which are not currently recognised in the clause's provisions. Some of those defences will be effective in the long term. We are talking not only about passwords or encryption keys as they are now, but about very complex encryption systems and a range of technical measures that will allow people to mount successful defences. Ironically, it will frequently be those who are most committed to breaching the law who will find routes to those technical defences and inoculate themselves against clause 49 offences. Those at the more innocent end of the spectrum, with material that they may not have requested, are more likely to be caught, and potentially prosecuted and convicted, even though they have not been engaged in the serious activities that clause 46 was designed to cover
Mr. Ian Taylor: Although I failed to catch your eye, Mrs Michie, when we debated clause 47 stand part, the Minister's assurances at the end of that debate were important because they placed a higher requirement on the use of demands for the key, as opposed to plaintext. In clause 49 and the new clauses that we are discussing, the desire is to protect the innocent. Innocent people may reasonably be thought to be in possession of the key, but that conclusion may in fact be unreasonable. In other words, the innocent must have a way out of an accusation that they could have revealed information to the authorities.
I stress that I am not a lawyer, and plenty of lawyers have made a lot of money telling me that I am not, but the clause states that a person shall have a defence
That provision is expressed rather negatively. Although it is not directly related, new clause 1 contains the phrase,
That is a completely different way of viewing the same potential problem. I prefer the emphasis in new clause 1.
The difficulty is to try to prevent people who want to assist, but for some reson cannot, from being caught by the clause. One way of overcoming that risk would be to ensure that everybody put their keys into key escrow, which returns us rather circuitously to what we agreed we would not have: a statutory key escrow scheme. When we discussed the matter on Second Reading, it was clear that the Minister understood that. I have recanted since the dim and distant days when I thought that such a scheme might be a good idea. Therefore, we are at one against that. We do not want clause 49 to make companies so terrified of losing the key that they do eventually go to key escrow. That is not the way that the Minister wants to go, although key management, which may involve key escrow, is a sensible way of approaching the issue. Many private detective agencies and banks are setting themselves up to do that. I am not saying that that is not the right way to go, but we should not try to enforce such a measure because it suits the state or because companies are so terrified about losing the key that they feel that they must do it.
Inevitably, there will be technological ways of protecting the innocent. They are fairly complicated and I am sure that their number will grow in accordance with requirements. It is astonishing what a hard disk can remember, even when corrupted. With cookies and other measurement instruments, one can find out how an e-mail or web page has been used. In all those circumstances, those technological developments are not threatening; they represent one way in which the innocent can protect themselves against an unreasonable assumption that they could have given information which they are not in a position to give. My hon. Friend the Member for North-East Hertfordshire is right in that if we can make the test of criminal intent more explicit, we can increase the penalties. If we try to increase the penalties when the innocent may be captured until proven innocent in the courts with all the publicity and stigma that is attached to it, we do not want the penalties increased.
If, the emphasis is placed on the need to prove criminal intent, the penalties could be strengthened and that might overcome the difficulty whereby some criminally minded people might prefer to take the de minimis two years rather than something that could be much worse. There are many reasons why the Minister would be well advised to take note of the speeches of the hon. Member for Hallam and my hon. Friend the Member for North-East Hertfordshire because of their attempt to assist the Bill by strengthening the proof of criminal intent. Furthermore, new clause 1 would strengthen the penalties that might be imposed and, thereby, overcome some of the difficulties that will ultimately be criticised by industry when the Bill is discussed on Report, unless the Minister is about to make further concessions in the way that he has skilfully done throughout our proceedings.
Mr. Charles Clarke: I shall make no concessions. The position is straightforward and I shall deal with it at some length. Those who have spoken so far in the debate have been clear about the matter. It has been one of wide pubic discussion and concerns have been expressed that have sometimes been distant from reality.
I shall deal first with the central allegation of the opinion from Justice and the Foundation for Information Policy Research, which lies behind the two new clauses. It does not, however, carry sufficient force to merit such a response. The allegation is that the offence of failing to comply with a disclosure notice reverses the burden of proof to the extent that it is incompatible with article 6(2) of the European convention on human rights, which concerns the presumption of innocence.
It is said that it is easy to forget a password or key and difficult to prove a negative in that a person does not have something. The central charge that is made is that innocent people may suffer in such circumstances, which new clauses 1 and 5 seek to address. I believe strongly that the provisions are compatible with the European convention on human rights. My right hon. Friend the Home Secretary has signed a section 19 statement to that effect. It is not a frivolous undertaking.
The hon. Member for North-East Hertfordshire said-I am sure loosely-that the lawyers think this, that or the other, referring to the legal advice on such matters. I shall chide him gently and say that, in my experience, the lawyers never think any one thing. They have a range of different opinions on any given question. While the legal opinion is perfectly legitimate and valid, I hope that he would do the Government the credit of acknowledging that the legal advice upon which the Home Secretary has signed a section 19 statement is an equally valid-I would argue that it is more valid-opinion.
Under clause 46, there must be reasonable grounds for believing that a person served with a decryption notice can comply with any requirement placed upon him, by which I mean that that person has a key, before the use of the power can be authorised in the first place. As for the proposed non-compliance offence, the Bill places the burden on the prosecution to prove that the accused is, or has been, in possession of a key. It also outlines several statutory defences. I say to the hon. Member for Hallam that the innocent individual who receives unsolicited e-mail cannot be prosecuted unless it can be proved that he or she had possession of the key at some point. An issue is involved if the user was the only person who had the key and he or she claims to have lost it, but not if the individual can prove that he did not have possession of the key at some point.
Mr. Allan: It is up to the individual to prove that he had the key. The individual who receives the unsolicited e-mail might go to court and say, ``I never had the key, guv. What key?'' My reading of the Bill is that that will not be enough because the prosecution could say, ``We think that it is likely that you had the key.'' The prosecution does not have to prove that he had the key.
Mr. Clarke: I am coming to that point. I make it clear that it is an absolute defence to prove that one did not have the key.
It will be for the court to decide in any particular instance whether on the balance of probabilities a person has, for example, forgotten a password-that example has been widely discussed. There are many offences on the statute book that place burdens on the accused. Our approach in this context is to argue that a person who has been shown beyond reasonable doubt to have had the key in his possession is presumed still to have that key unless it can be shown on the balance of probabilities that he no longer has it.
That is the situation in terms of the legal burden of proof, but I want to discuss it in terms of common-sense understanding and to explain what will happen in particular cases. I agree with the hon. Member for Hallam that it is helpful to consider examples. I hope that that reinforces the point that I have made on several occasions that the offence does not reverse the burden of proof. It places a lesser burden on the defence, which is entirely appropriate. That approach is replicated in relation to many other offences. Let me explain why.
The real issue concerns not the reversal of the burden of proof but whether the individual in question can show on the balance of probabilities that he no longer has access to the key. The nature of emerging encryption technologies means that proving, even on the balance of probabilities, that one does not have the key at the relevant time could be a tricky proposition. That point was made by the hon. Member for Hallam.
However, we should put the matter in context. Data may have been acquired by law enforcement or other agencies through-it is important to emphasise this-lawful means, and a notice served on someone whom the authorities have reasonable grounds for believing has access to that data or to the means to decryt it. In that case, the authorities would have proved beyond reasonable doubt that that person either has, or has had, that data or appropriate means when the notice was served. In that event, the defendant may show on the balance of probabilities evidential that he did not have the key or could not comply with the request. The hon. Member for North-East Hertfordshire asked what could be done to show that.
There are two clear different circumstances, the first of which involves the case of a business. The business, which is responsible and secure, always has back-up mechanisms, always anticipates the loss of a key and always has an audit trail that establishes when keys were used for what purposes and when they were thrown away. We have got that message strongly from talking to business, and it is entirely reasonable to have such expectations. The hon. Member for Esher and Walton mentioned the possibility that some might choose the approach that is associated with key escrow. That is a different way to secure a rigorous system that pursues and tracks keys.
If a business found itself in that position-I emphasise, by the way, that I doubt whether it would-and had to show, on the balance of probabilities, that it did not have the key at the relevant time, it could wheel in any number of technical records to explain the circumstances under which it normally disposes of keys to produce evidence to that effect. Businesses are in a good position in this regard because their conduct will normally be supported by substantial records.
What about the individual? That raises the other case, which was discussed on Second Reading by my hon. Friend the Member for Milton Keynes, North-East (Mr. White) and others who raised it in different circumstances. What about the individual who simply forgets his password? As critics have said, that is a very reasonable thing to do-many people do so in many different circumstances. We should bear in mind that the individual has to demonstrate his forgetfulness only on the balance of probabilities, which means that he is already some way there. It is a reasonable explanation for him to say that he has forgotten his passport-I keep saying ``passport''; I mean ``password''-[Laughter.] I confess to having the Home Office disease. ``Password'' is the word what I want.
Precisely because forgetting a password is such a reasonable thing to do, it is rare that there are no contingency arrangements for such an eventuality. Depending on the circumstances of the case and the reasons why the material was acquired in the first place, individuals could easily state that they had forgotten their password or key, but volunteer information about the last time they remembered it, what they normally do when they forget it, whether their service provider has a back-up system or whether all data are destroyed every time that they lose their key. The court will take such factors into account. I think that that represents a perfectly reasonable set of events. I emphasise again that there is no reversal of the burden of proof. Once the prosecution has proved possession beyond reasonable doubt, the defence can avoid liability by demonstrating a change of circumstances on a balance of probability.
For the reasons that I have set out, I think that the alleged evils addressed by the new clauses are illusory. The burden of proof is not reversed.
There are other aspects of new clause 1 that do not appeal. The case for increasing the maximum sentence to 10 years is well made and I understand it, but the overriding concern must be the seriousness of the offence. Increasing the penalty to 10 years would put the offence on a par with cruelty to children or making threats to kill. I am not certain that that would be right; even the possession of paedophile material, which we discussed earlier, does not carry such a sentence. I am also conscious that, on Second Reading in particular, hon. Members alleged that what the Bill allows us to do amounts to key escrow by intimidation. As I said on Second Reading, I do not accept that, but it seems to me that increasing the penalty to 10 years' imprisonment would serve only to heighten that criticism and send out the wrong signals. We do not wish to do that.
I am also not attracted to subsection (6) of new clause 1, which proposes that a conviction resulting in a prison sentence of five years or more in the previous five years could be used as evidence of intent. The provision appears to have been modelled on a similar section in the Theft Act 1968-section 27. Such provision should be considered exceptional, and I am not persuaded that something along the lines set out in new clause 1 is needed.
The burden of proof is not reversed and the maximum two-year sentence is entirely appropriate. On that basis, the new clauses should not be accepted.
The hon. Member for North-East Hertfordshire also spoke to new clause 4, which adds to the Bill the power to search for a decryption key, with the authority of a circuit judge. I understand the reasoning behind the new clause, which seeks to assist the agencies to meet an operational requirement, but there may be practical difficulties. In some cases, there may be good grounds for believing that a person served with a decryption notice will fail to comply, thus enabling the authorities to apply for a search power at the same time as their application to serve a notice. However, in other instances, that may not be the case. The focus of the power is on suspects and their accomplices who have keys, but who wilfully refuse to co-operate; the hon. Gentleman made that clear. As we discussed this morning, the technology involved means that the key that the law enforcement agencies are seeking may, in fact, be held by a third party. The new clause raises the spectre-that may or may not be a justified perception-of the authorities searching the premises of innocent parties. That is a step too far, and that is why we did not include it when we first discussed what would be in the Bill.
The debate touches on difficult questions of judgment, and I acknowledge the diffuculties. In some ways, new clauses 1, 6 and 4 push in opposite directions. I am not criticising; it is a difficult issue. However, we believe that the balance that we have struck is right, and we consider that many of the criticisms that have been made are not well founded. The new clauses should be withdrawn.
I realise that I have not responded to the point made by the hon. Member for Hallam about hard disk failure and the destruction of a key in those circumstances. If the key is not available, the Crown Prosecution Service will not bring a prosecution. I am confident that the courts can distinguish between the loss of keys or an IT failure of this type and an attempt by the holder to destroy the key. When hon. Members have had a chance to consider what I have said, I hope that they will not press the new clauses to a vote.
Mr. Allan: I wish to come back on two points. First, I seek further clarification of the defence of ``I have no key'' or ``I have never had the key''. My understanding is that it will be for the prosecution to prove beyond reasonable doubt that the individual has the key or had it at some point. That burden of proof is clear. Can the Minister say what kind of evidence the prosecution would have to present to satisfy the courts that a person has the key or had it at some point? It is important to get that on the record so that it is clear.
Secondly, I want to raise some concerns about the way in which the offences will be dealt with. It is an either-way offence. We note that one possibility is that the offences will be dealt with on summary conviction in the magistrates courts. It will be difficult to present these technical issues in any court, but particularly in a magistrates court, where they are harder to deal with. To what extent do the Government think that they should consider the technical issues referred to by the hon. Minister for Esher and Walton in relation to demonstrating beyond reasonable doubt that an individual had a key?
I want to reinforce the point that individuals who use encryption technology will frequently not know that they are doing so, as the Minister said earlier when he referred to mobile phones. The classic example must be a bank's automated teller machine, which has PIN numbers and passwords. The individual in that case is using an encryption system that depends on a unique key-the PIN number-which only the individual knows, and the banks claim that even the people who work in the bank cannot unlock the key. However, if someone were asked whether they were using encryption, they would say they were not. That will increasingly be the case as people use their digital television sets to access e-mails, the internet and so on: the encryption will be hidden from the end user. Therefore, the response to the serving of a notice will frequently be ``What key? What encryption?'' People simply will not understand that and will say, ``Talk to my service provider''.
How will the Government get round that point and how will the relationship with the service provider work? Will notices frequently be issued against the service provider, who may have a cracking technology, or against end users, who will have difficulty in delivering what is required, because they do not understand what they are using, for perfectly sensible reasons? They want to get the service without getting into all the technicalities. Problems could arise when people are accused of offences because of things that they cannot comply with, not through malice, but through simple lack of understanding of what they are dealing with. The first thing that they will fail to understand is that they are using encryption at all.
I can have confidence that agencies such as the Crown Prosecution Service that are trying to pull together evidence for a prosecution case will have an understanding of IT failure. It was an important admission from a Home Office Minister that his Department has some understanding of IT failure, particularly in the light of his earlier comments about passports. However, the serious point remains that a range of strategies will be used to try to circumvent the process, many of which will not only involve things that we can see now, such as IT failure, but, increasingly, complex network solutions. The hard disk crash of today will relate to people claiming failure at any point in the system, which will be much more complex than the present one. Taking that sort of material before the courts will be difficult.
Interestingly, the hon. Member for Esher and Walton referred to cookies. Increasingly, an individual no longer controls his own computer: the computer is part of a network and as much material is put on the computer by people outside as goes out from it. Therefore, people will honestly be able to claim, ``It wasn't me, guv. I had no hand in it.'' When people are connected to networks keys can be removed without their knowledge. A third party can intervene extensively on a computer. As we move towards technology as such as network computers, where the bulk of the information is stored centrally in an amorphous mass in the network, the user will have but little control over the end point. In the past, if a person were caught with a computer, one could say ``You must have put everything on there. You are responsible for it all.'' That will increasingly not be the case.
The glazed faces across the Committee make me realise that I have gone far enough down the technical route. I shall take the anorak off again and leave the Minister with some of those points, to which I hope he can respond.
Mr. Heald: I also want to tempt the Minister to go a little further. The opinion from Tim Eicke sets out in some detail why he feels that the clause 49 offence is not ECHR compatible. It is my understanding that the Law Officers' view is that is incumbent on the Minister to explain why he does not agree.
The Attorney-General said last year in the House of Lords:
The Minister has rightly said that the Bill contains a section 19 statement saying that its provisions are compatible, but when the Attorney-General said that the person responsible should explain his or her thinking on compatibility so that reasons could then be given, I am sure that he had more in mind than simply ``There is a statement on the front of the Bill.'' He clearly meant that there would be more detail than that issues such as those raised about repugnancy would be tackled. Therefore, I invite the Minister to go a little further on that.
The Minister also said that he did not like the part of new clause 1 in which evidence of previous convictions and other items could be used to prove guilty knowledge, on the basis that that would be an exceptional approach. It is true that it is an exceptional approach, but it is targeted at what this offence requires to attack the guilty and protect the innocent. That is why the provision in the Theft Act was used to identify the mental element in the offence of handling stolen goods. The Minister is right that it is exceptional, but why should that mean that it cannot be done? Occasionally, exceptional things can be done. I invite him to join me, be creative and do something exceptional.
Mr. Charles Clarke: Would the hon. Gentleman like to be specific about that?
Mr. Heald: Accept my new clause.
Mr. Clarke: I was referring to being creative.
Mr. Heald: Finally, why does the Minister believe that plaintext rather than a key will be demanded in most cases? Reputable businesses will be likely to co-operate without a notice under other procedures. There may not be many keys that are held in escrow by third parties, especially now. Will he accept that the authorities will not accept plaintext from anyone that they mistrust, in which case surely it is likely that the power will be used only sparingly and will tend to be used where the key is needed? Although he intends plaintext to be the solution, surely the notices are likely to have to be served only when the key is required. That is what many people in the industry believe.
Mr. Clarke: Several points have been raised and I shall deal with them in turn.
To confirm what the hon. Member for Hallam said, the prosecution must prove that the accused had the key; mere suspicion is enough to serve a notice, but not to bring a prosecution. I hope that that clarifies his point. How will authorities prove possession? I accept that that is difficult and that it is a high hurdle for the prosecution to cross. Nevertheless, it is the correct hurdle for the CPS. There are technical issues and the courts face serious problems in dealing with them, but there is no need to distinguish between the magistrates courts and the Crown courts in that respect: technical issues are difficult for any court.
The personal identification number was raised in connection with encryption. The organisation or individual has to know that the key-in this case, the PIN-is required and the question arises whether the individual is prepared to supply it. Knowledge or otherwise of encryption is less important than the hon. Member for Hallam suggests.
The hon. Member for North-East Hertfordshire asked about ECHR compliance. We believe, first, that a key is not self-incriminatory of itself, which is the main consideration. Secondly, we believe that a key has an existence that is independent of the will of the subject, which was explicitly approved by the European Court in a leading case, Saunders v. UK, in 1996. Thirdly, in that case, the court found that the right against self-incrimination does not extend to the use in criminal proceedings of material that may be obtained from the accused through the use of compulsory powers and has an existence independent of the will of the suspect-documents recovered under a warrant, for example, as illustrated by a key. That provides further indications of why we believe that we are not in violation of the European convention. That is why my right hon. Friend the Home Secretary made his statement to that effect.
Mr. Heald: I am grateful to the Minister for explaining his views on self-incrimination. One of Tim Eicke's points is that reverse burden cases under article 6 could lead to a breach. How would the Minister tackle article 6(2) issues in terms of compliance with ECHR? The Kebeline case in the divisional court is of interest here.
Mr. Clarke: I do not wish to go into further detail other than to say that the concept of a statutory defence is different from the concept of reversing the burden of proof. We have debated that matter at length before and it covers the hon. Gentleman's point. I have nothing further to add to my comments and I ask him not to press the new clauses to a vote.
Mr. Allan: The Minister just made an important point about self-incrimination. Will he clarify the status of information that could incriminate an individual, which might be revealed because the authorities have the key, but which was not part of the original intention of issuing the notice-or not part of the protected information? As we discussed earlier, once a key has been issued, it may provide access to ancillary information that was not part of the core investigation. That could pose issues of self-incrimination: individuals could rightly believe that they are incriminating themselves in ways unrelated to the core purpose of the notice. How would the authorities respond when an individual seeks to mount a defence on self-incrimination grounds in those circumstances?
Mr. Clarke: I was asked about the key and I sought to answer the question. I can add little more, except that the courts will make the judgments, and the agency, the CPS and all those who come before the courts will be extremely conscious of the European convention on human rights requirements. That should cover the points made by the hon. Gentleman.
Mr. Heald: On a point of order, Mrs Michie. I seek your guidance on the position regarding the new clauses. My understanding is that the question will be whether the clause stands part of the Bill. Clarification on that point would be helpful.
The Chairman: The new clauses will fall if clause 49 is agreed. On that basis, the new clauses will cease to exist.
Mr. Heald: I had understood that that was the position. Clearly, however, the new clauses are of great importance to the Opposition. I shall certainly seek to return to the issues raised on Report.
Question put, That the clause stand part of the Bill:-
The Committee divided: Ayes 10, Noes 6.
Division No. 10]
AYES NOES Clause 49 ordered to stand part of the Bill.
Clark, Mr. Paul
Clarke, Mr. Charles
Cohen, Mr. Harry
Darvill, Mr. Keith
Kennedy, JaneMoran, Ms Margaret
Prosser, Mr. Gwyn
Southworth, Helen
Sutcliffe, Mr. Gerry
Thomas, Mr. Gareth R.
Allan, Mr. Richard
Beith, Mr. A. J.
Heald, Mr. OliverLuff, Mr. Peter
Maclean, Mr. David
Taylor, Mr. Ian Question accordingly agreed to.
Mr. Charles Clarke: I beg to move amendment No. 69, in page 50,
line 9, at end insert-
(b) the person who gives the notice is himself a person whose permission for the giving of such a notice in relation to the information in question would have constituted appropriate permission under that Schedule.'.
The effect the amendment is that the person who authorises the use of the decryption power will have to give his or her approval for a section 46 notice to contain a secrecy requirement. The amendment is in response to concerns expressed about the tipping-off offence. Some commentators speculated about various unlikely scenarios-in our opinion-in which the provision might bite. More importantly, some industry contacts have expressed concern about the potentially wide application of the powers. Under the amendment, the person who authorises the use of decryption powers decides whether it is reasonable, which we believe is the best way forward. To illustrate, where the service of a notice is authorised by the Secretary of State, the Secretary of State will decide whether to impose a secrecy requirement. Such cases will be limited by virtue of clause 50(2)(a) and (b) to those where protected information has come, or is likely to come, into the possession of the police, Customs and Excise or the Intelligence services. I hope that the amendment provides furtherreassurance on the consideration required before a secrecy requirement is added to a notice.
Amendment agreed to.
Amendment made: No. 70, in page 51, line 6, leave out from ``authorised'' to ``came'' in line 10 and insert-
(b) by or on behalf of the person who gave the notice; or
(c) by or on behalf of a person who-
{**IX**}(i) is in lawful possession of the protected information to which the notice relates; and
{**IX**}(ii) ''.-[Mr. Charles Clarke.]
Question proposed, That the clause, as amended, stand part of the Bill.
We are particularly interested in time scales, although our feeling remains that there should in general be provisions in favour of whistleblowers. Where individuals feel, and have good grounds for feeling, that something is being abused, they should have some protection if they breach a secrecy clause in the wider public interest. That remains our concern about all the provisions on tipping-off offences.
Mr. Clarke: We discussed the matter this morning in the context of notification of subjects under the amendment moved by the hon. Member for North-East Hertfordshire. I do not have anything further to add to what I said, but I am prepared to consider the matter and I will write to the hon. Member for Hallam if anything comes to me.
Question put and agreed to.
Clause 50, as amended, ordered to stand part of the Bill.
Clause 51 ordered to stand part of the Bill.
Mr. Heald: On a point of order, Mrs Michie. The matter to be considered under amendment No. 47 was dealt with this morning when the Minister made his concession. I shall not move amendment No. 47.
Clause 52 ordered to stand part of the Bill.
Further consideration adjourned.-[Mr. Sutcliffe.]
Adjourned accordingly at seven minutes past Five o'clock till Thursday 6 April at Nine o'clock.
The following Members attended the Committee:
Michie, Mrs Ray (Chairman)
Allan, Mr.
Beith, Mr.
Cawsey, Mr.
Clark, Mr. Paul
Clarke, Mr. Charles
Cohen, Mr.
Darvill, Mr.
Dawson, Mr.
Dobbin, Mr.
Heald, Mr.
Kennedy, Jane
Luff, Mr.
Maclean, Mr.
Moran, Ms
Prosser, Mr.
Southworth, Ms
Sutcliffe, Mr.
Taylor, Mr. Ian
Thomas, Mr. Gareth R.