Two unnamed broadband or mobile ISPs are reportedly helping the UK Home Office and the National Crime Agency (NCA) to trial a new internet snooping system on their customers, which is being conducted as part of the controversial 2016 UK Investigatory Powers Act (aka – snoopers charter).
The act introduced a new power that, among many other things, could force ISPs – upon being ordered to do so by a senior judge – into logging the Internet Connection Records (ICR) of all their customers for up to 12 months (e.g. the IP addresses of the servers you’ve visited and when), which can be accessed without a warrant and occurs regardless of whether or not you’re suspected of a crime.NOTE: Obtaining the content of a communication still requires a warrant, but ICRs aren’t deemed to contain content.
The Communications Data Code of Practice, which was finalised in 2018, largely indicated that an ICR would “only identify the service that a customer has been using” and this is likely to involve the retention of various different pieces of data (varying between ISPs/networks).
However, the core ICR data should include a customer’s account reference, source IP address, destination IP address + port and the date/time of the start and end of the event or its duration. Other data may additionally be added if available (e.g. volume of data transferred and partial URLs – i.e. only that which contains communications data, not content).
Simplified Interpretation of an ICR Log
| Account ID | Date (Time) | Source IP (You) | Destination IP:Port | Data Volume | URL |
| 1 | 19/01/2017 (12:01) | 84.56.232.71 | 123.45.62.86:80-HTTP | 800KB | omgfakeballz.com |
| 1 | 19/01/2017 (13:12) | 84.56.232.71 | 65.123.45.90:21-FTP | 0.2KB | ftp.faketest.co.uk |
| 65 | 19/01/2017 (13:14) | 84.79.130.47 | 190.45.62.86:80-HTTP | 1700KB | icanhasyourdata.net |
The IPAct effectively prohibits ISPs from talking about much of this, which makes it difficult to verify the details (it also makes it difficult for ISPs to share experiences when developing best practices for the code), but a new article on Wired has provided the first useful update on this work in some years and confirms that two ISPs are helping to develop the system (BT seem like a fair bet to be one of those, but this is not confirmed).
A spokesperson for the Investigatory Powers Commissioner’s Office (IPCO) confirmed the trial is ongoing and that it is conducting regular reviews to “ensure that the data types collected remain necessary and proportionate“. At this stage the trial is described as being “small scale,” which we’d surmise to mean that it hasn’t yet been enabled for the entire customer base of each ISP.. yet.
Recent court challenges mean that, technically speaking, such data can only be stored (or ordered to be stored) if it is considered necessary and proportionate to do so, such as in the course of helping to fight serious crime. But the Government’s definition of what is and is not a “serious” crime has sometimes been called into question, while the IPAct has also faced some related legal challenges (here).
Meanwhile it’s reported that the NCA has spent at least £130,000 on two external contracts, which are being used to commission companies to build the underlying technical systems to run trials. Assuming all goes well then the Government will want to see this system being rolled out nationally and that could be a real burden for some ISPs.
The IPAct is due for its first 5-year review in the next year, which some hope could be an opportunity to improve its transparency. On the other hand, there may be fears that, without the protection of the EU’s charter, the UK government may seek to make the law even more intrusive and thus to the detriment of personal privacy. Well.. we’re sure nobody would ever want to abuse a mass national snooping system, no not at all (*tongue firmly in cheek*).
