UPDATE Government Creates Confusion Over New Internet Snooping Bill

Later this week the Government will finally publish their third attempt to enhance the Internet snooping capabilities of our country’s security services, but there’s growing confusion between the mass media and politicians over what will actually be announced.

At this point we’re going to save our in-depth coverage until Wednesday, when hopefully we should be able to see what has actually been written into the bill instead of being forced to interpret a shaky mix of poorly communicated hints from politicians (precious few MPs are competent in matters of networking and IT).

The existing law (Data Retention and Investigation Powers Act), which is temporary legislation (here), can already request ISPs to keep and provide a log of some very basic Internet connectivity and phone records (this does not include the content of your communication), which becomes active for specific subscribers after a warrant has been received.

However the Government, which is concerned that the existing approach doesn’t provide the security services with enough information to help tackle increasingly sophisticated cybercrime and terrorist networks, wants ISPs to log more data about the online activity of all their customers; irrespective of whether or not you’ve committed a crime.

On top of that they want to make it easier for the security forces to get their hands on this information and that approach has created some concern. On the one hand many people are worried about excessive state intrusion into their private lives (we all have things to hide, otherwise we wouldn’t close the blinds while getting dressed), while on the other hand ISPs are fearful of the technical feasibility and cost of implementing all this.

It’s into this climate that, over the weekend, we got our first hint of what changes might make it into the bill and unsurprisingly some of the comments from senior Government ministers have created plenty of confusion. Here’s a quick summary of the key points so far.

Main Changes from the 2012’s Comms Data Bill

* ISPs will be required to maintain a basic access log of customer activity for a period of 12 months (e.g. names, dates, times and websites / servers visited [e.g. ispreview.co.uk]) and several reports suggest that this may be more easy for the security forces to access (it’s unclear whether a warrant will still be required).

* A second, more detailed, category of access log will also be created (e.g. what specific web pages on that website or other online services were visited / used [e.g. ispreview.co.uk/about.shtml]) and this category will definitely require a warrant. It’s unclear whether ISPs will be expected to track the extra detail automatically, for all customers, or if that part only becomes active after a warrant has been received (not unlike the original law).

* Comms providers won’t have to store Internet traffic from companies based in the USA (e.g. Facebook and Google), nor “third-party” data from companies based overseas, although quite how they expect ISPs to accurately filter and distinguish between all this in their logs is unclear.

* The effort to restrict encryption, such as by forcing Internet companies to share decryption keys or to open other back-doors for the security services, is said to have been diminished.

However the Government still intends to issue warrants for the release of potentially encrypted data, which could be difficult as many of the companies that secure their customers communications via such systems often do not even themselves have access to what is being communicated (users generate their own keys automatically).

As such it’s unclear whether or not this aspect has been watered down or that the Government are simply using softer language to communicate their plans.

* The oversight regime has been improved and a senior judge will now be appointed to monitor use of the law (Investigatory Powers Commissioner). However there is a big question mark over whether ministers will have the ability to grant warrants (Labour’s red line is that judicial authorisation is the only acceptable approach; how times have changed).

The hints clearly give rise to plenty of questions, which are in need of some clarification, but we’ll have to wait until Wednesday to get it. At the same time we note that some politicians do not appear to view data, such as which websites you visited, as sensitive personal information, but we’d beg to differ. You can learn a lot about a person from basic metadata (e.g. likes and dislikes).

Similarly the tracking of individual website pages, which suggests full URL (web address) crawling, is a deeply grey area because the web address itself can contain personal information and won’t work so well for HTTPS encrypted sites (e.g. if you submit personal data via a web form that’s not encrypted then some of it, which would normally only be visible to you, may also be stored in the URL as part of that process).

On the other hand the Home Secretary, Theresa May, said at the weekend that the Government, “will not be giving powers to go through people’s browsing history. That is not what the investigatory powers bill is about.” Talk about mixed messages, although we believe this is merely reflecting the need for a warrant before more detailed snooping is enacted.

At this point many of the original concerns about technical feasibility and cost still appear to exist, after all you can’t log all this data without needing a lot of storage in the ISPs data centre and then there’s the question mark over whether or not the process for sharing access to it will be automated or manual.

As usual the first draft of any new bill is usually the worst / toughest and hopefully the usual democratic debate and revision process will produce something a little more balanced, assuming it even makes it to the Royal Assent stage. Meanwhile the technically competent criminals and terrorists already know how to mask their online activity.

On top of that we hope that the Government have learnt about the need to distinguish Internet access and Internet content providers as the two do not work in the same way and need a different approach in the respective legislative language.

UPDATE 3rd November 2015

The Internet Service Providers Association (ISPA) has uploaded a check-list for Parliamentarians of things that need to be considered for the new legislation to be “proportionate and effective“. The full document can be found online, but here’s the short summary:

The Five Points:

1. Full, extensive Parliamentary scrutiny and consultation with all stakeholders.

2. Effective on a technical and public policy level.

3. A stable framework that complies with all relevant legal obligations.

4. Adequate balance of powers, oversight and transparency.

5. Full consideration of impact on business.

The bill only has a debate window of 8 weeks and so it remains to be seen how much of it will end up matching what the ISPA wants to see.