» ISP News » 

IPAct – Controversial New UK ISP Internet Snooping Bill Becoming LAW

Wednesday, November 16th, 2016 (8:17 pm) by Mark Jackson (Score 11,396)
internet uk spying and monitoring

Broadband ISPs and mobile operators will tonight offer a collective sigh after the Investigatory Powers Bill effectively achieved Royal Asset to become an Act. The new law will force providers into logging a big slice of your Internet activity, irrespective of whether or not you’re even suspected of a crime.

At present ISPs need to see a warrant before logging what customers do online (for up to 12 months) and related logs are also extremely basic. By comparison the new law introduces a system that will require ISPs to store comparatively detailed Internet Connection Records (e.g. the websites / servers you’ve visited) for all their customers and this will also be accessible without a warrant (summary).

The recent Code of Practice suggested that an ICR’s “core information” will most likely include a customer’s “account reference, a source [Internet Protocol] and port address, a destination IP and port address and a time/date” (details), but some providers may be expected to collect more data than this if they can.

However a full interception warrant will still be required to obtain the most detailed information (e.g. the content of your communications), but even without one the ISP would still need to record your basic activity via ICRs (these will be stored for a period of 12 months) and that’s neither easy nor cheap to do.

Overly Simplified Interpretation of an ICR Log

Account ID
Date (Time) Source IP (You)
Destination IP:Port Data Volume URL
1 19/01/2017 (12:01) 84.56.232.71 123.45.62.86:80-HTTP 800KB omgfakeballz.com
1 19/01/2017 (13:12) 84.56.232.71 65.123.45.90:21-FTP 0.2KB ftp.faketest.co.uk
65 19/01/2017 (13:14) 84.79.130.47 190.45.62.86:80-HTTP 1700KB icanhasyourdata.net

A lot of people do however see the new law as a useful, maybe even necessary, tool for helping to combat the very real threat from terrorism and serious online crime. Meanwhile others fear that such monitoring goes too far (i.e. an invasion of privacy that could easily be abused), giving the UK one of the most extreme state surveillance laws of any Western democracy.

Jim Killock, Open Rights Group, said:

“The IP Bill will put into statute the powers and capabilities revealed by Snowden as well as increasing surveillance by the police and other government departments. There will continue to be a lack of privacy protections for international data sharing arrangements with the US. Parliament has also failed to address the implications of the technical integration of GCHQ and the NSA.

While parliamentarians have failed to limit these powers, the Courts may succeed. A ruling by the Court of Justice of the European Union, expected next year, may mean that parts of the Bill are unlawful and need to be amended. ORG and others will continue to fight this draconian law.”

Big question marks also remain over the fundamental issue of cost (ISPs will have to foot some of the bill) and technical feasibility, with every ISP predicting that the Government’s estimate of +£175m is well below the reality (here). As a result consumers may end up paying a higher price for broadband in order to help support it.

Some companies will also have to effectively seek approval from the Home Office if they wish to create new products, services or re-brand their business, which is understandable for administrative / operational reasons (certain changes might affect the data gathering), but at the same time it’s an ugly burden to place on any business.

It’s also not just the security services that will have access to ICRs, with the Department for Transport / Health, HMRC, NHS, Food Standards Agency, Gambling Commission and various other public authorities also being able to request the data (see the full list); except local authorities and council officials, who will NOT be permitted access.

On top of that the law also gives the security services new powers to hack computers and other electronic devices (GCHQ had previously been doing this covertly). The law may also make it difficult to offer secure / encrypted end-to-end communication services because companies will face legal pressure to hand over related comms data (example).

Recent Amendments

Thankfully there have been a few improvements to the IPBill since it was revised, again, at the end of last year. The government has introduced a new privacy clause, although this only aims to make it “clear that warrants or other authorisations should not be granted where information could be reasonably obtained by less intrusive means“.

Journalists have also been granted a bit of extra protection and a Judicial Commissioner will be required to consider the “overriding public interest” when authorising the use of Communications Data. In keeping with that the commissioner will also more generally be able to scrutinise the decision to issue a warrant, not just the process.

Meanwhile MPs will be protected from snooping and only the Prime Minister can explicitly approve an interception of their communications (note: doctors and lawyers etc. will also get some protection). Similarly trade union activities cannot be considered sufficient reason for investigatory powers to be used. One rule for them, another for the rest of us. Quite how ISPs will be expected to accurately identify all these exceptions is not clear (i.e. they might still have to log the data, even if the information itself won’t be requested).

Elsewhere ISPs have also been told that they won’t have to retain or disclose “third party data“, unless the operator retains it for its own business purposes. In this context, third-party data means communications data processed by the operator for the purpose of routing communications within an electronic communications network.

Some other changes have also been made in order to make it harder for Internet data to be requested on adults suspected of only minor crimes, although there are plenty of caveats to this (clause 59.5) and as such the supposed limitation is actually rather weak.

Various other changes have also been made, but most of them are small and none of them really tackle the overriding concern about a system that snoops on every one of its citizens, not to mention the technical and cost challenges of actually making that work.

We should also add that it will now be an offence if a person in a public authority unlawfully obtains communications data.

Conclusion

Today’s outcome was perhaps a forgone conclusion, not least since both the Conservative and Labour Parties have repeatedly spent the best part of the past 8 years trying, and often failing, to get similar legislation passed into law. In that climate no amount of opposition from the Liberal Democrats, SNP or smaller parties would make a dent.

On top of that the related Data Retention and Investigatory Powers Act 2014 (DRIP) is due to expire at the end of 2016 and must be replaced before that deadline. But it should be noted that the DRIP Act only came into existence because the previous Regulation of Investigatory Powers Act 2000 was declared “invalid” after the European Court of Justice ruled (here and here) that it breached the “fundamental right to respect for private life and the fundamental right to the protection of personal data” (EU Charter of Fundamental Rights).

Furthermore there’s also the rather big caveat of whether any of this will actually help. The security services are already overloaded with data and simply making the haystack bigger doesn’t necessarily help to find the needle. Harvesting such a large amount of information will also become a tempting target for hackers and state sponsored espionage, which is particularly worrying given the increasingly long history of major data breaches.

On top of that the usefulness of the data is another issue, particularly since any half-witted terrorist or criminal can easily mask themselves behind encrypted connections or services that may also exist in other countries (away from UK law) and thus retain no logs.

Likewise Internet connections are often shared and thus identifying who is actually using the service at any one time remains very difficult without traditional surveillance (i.e. a man on the ground), but that doesn’t mean to say that a court wouldn’t misconstrued an ICR and blame the connection owner for a crime, even if they’re innocent.

The new law effectively creates a system that monitors everybody and threatens the erosion of privacy, which is a founding tenant of most democracies because it helps to shield the people and political opponents from abuse by Governments that hold too much power.

Suddenly the inside jokes you share with friends online, your search history and the fact that somebody on your connection may have once visited an illegal website (on purpose or by accident, ICRs can’t tell the difference), all of this becomes a weapon that could be used against you.

No doubt some will say that the new law merely serves to make legal what the Government’s spying agency (GCHQ) has already been doing in private for several years, which is true up to a point. But we’ve never had a system that forces ISPs to retain a complex log of all your online activity and to then store / provide it without a warrant, which carries with it a certain chill.

NOTE: Strictly speaking the IPBill is not quite yet an Act (Law), but it has today completed the final passage through both the House of Lords and Commons. As a result the only remaining step is a formality, which means getting the Queen to sign a piece of paper. For all intents and purposes this is now the Investigatory Powers Act.

Delicious
Add to Diigo
Leave a Comment
20 Responses
  1. Billy

    I hate the idea that someone can see all the shit I buy off ebay.
    Can my purchase history still be viewed if I use a VPN?

    • mrpops2ko

      No it can’t. From the leaks we have seen OpenVPN hasn’t been cracked yet. All the other stuff has, including ipsec.

      Having a VPN that has shared IPs, so that all your traffic goes into them, along with 50-100+ other peoples, all intermixed helps a lot in this regard.

      On a person level what can you do? Purchase a good VPN and push all your traffic through them. I’ve switched to doing that. This site thatoneprivacysite.net/vpn-comparison-chart does a comprehensive review of most VPNs.

      I found the simple comparison too simple and the advanced one too bloated, so I filtered it for things I care about and these are the short list i.imgur.com/Fmld4ix.png . Any of those would be good.

      I personally went with IVPN and found that my ping actually decreased. With AirVPN it stayed the same or went up. Really surprised it decreased my ping, the only issue i’m noticing now is some peak time congestion around London at times.

      If you want to go even further, you can make your traffic multi-hop, so it goes through multiple vpns and if you want to even further on top of that, you could route it all through TOR on top.

      At the moment though I think just a VPN is enough, and once its set up it is pretty seamless, with no noticeable loss of quality or degreade of service.

      I’d suggest looking into a killswitch and DNS leaking, if you want to be 100% sure you are protected at all times. I built a PFSense box and I route all my traffic over VPNs now.

    • john

      I use Astrill VPN at router level. I am using Cast 512bit and I have access to 2048 as well if needed. It’s £70 a year but so worth it and it covers my mobiles and all other devices as well.

      I have heard that blowfish has been cracked, not sure about Camellia. I can use any of those if needed.

      But I will be dammed if they are going to log me and the day that they can no matter what I use will be the day I kick the internet in.

    • john

      That said there are plenty of mega cheap dedicated servers in france or VPS’s from ebay all over the world. You could get one of them and remote into them and do all your business there.

    • Ethel Prunehat

      Yes, TPTB can see your eBay purchasing history regardless of how you access eBay. They will ask eBay for it directly, which is much easier than trying to reconstruct it from sniffing your internet traffic.

    • DTMark

      That’s a handy chart 😉

      We use a UK based VPN provider (not in the chart) though I’ve been considering a Microsoft Azure based one. IIRC it’s about £90 per month for a “high quality VPN” (I need to qualify what that means).

      We have to use a VPN as our ISP uses CGNAT which basically renders some of the internet useless. For example, YouTubeTV control won’t work properly with CGNAT – the changing external IP causes the connected device to disconnect.

      The security/privacy is a big bonus and this legislation makes me more determined to spend time looking at this more closely.

      Used Astrill for a while, but it readily fell to pieces every time there was a big TV event like some major Coronation Street storyline.

      The one we have now rarely goes above 37Mbps down, though we can still get our full 50Mbps up. The shaving of some speed is obvious. Friday and Saturday nights are when it is most stressed.

    • Chris P

      @DTMark

      who is your ISP and what is your normal Bandwidth?

    • john

      @DTMark

      Really? I can’t say I’ve noticed anything like that since I joined them in April.

  2. Jolly Olly

    Congratulations old people in parliament. You have turned us into a surveillance state

  3. Patrick Cosgrove

    And if the terrorist cells decide to operate out of Starbucks, or hover near Tesco ….? Surely this will just drive suspect activity deeper underground and do little more than catch the occasional chump.

    • brianv

      Are there any real tewwowists? Or just the Emanuel Goldstein variety? Paper-based only. Like the 19 evil henchmen of 911, found alive and well, post-911. Remember that fireproof hijacker passport which few out of the cockpit window and fluttered down onto the Manhattan sidewalk? An obvious load of old fanny. Did anyone seriously buy that crock at the time?! But that’s the mainstay of the War on Terror!

      Fictitious bogeymen invented by MI5, the CIA, and their intelligence comrades in that marching army of mindbenders, in their war for our minds.

      Never-ending tewwow psyops “to keep the people frightened”, as Orwell noted prophetically. Guaranteeing an ever expanding cash flow into the intelligence/security budget, for all the spooks’ dodgy off-book projects.

      So what are the spooks gonna do with all this new data they’ve collected? Data which they’ve been illegally collecting anyway for decades since.

      In the large part, nothing at all. Not unless there’s some commercial value in that illicit information. e.g. insider information gleaned from earwigging in the City. Material useful for blackmail, maybe? Imagine harvesting the browsing history of Greville Janner MP. All those sexi-sites he loved to visit (of an evening). And how malleable he’d be once you showed him you knew of his little (boy) secrets.

  4. Jolly Olly

    This just goes to show we do not live in a democracy. We do not have freedom. No matter where you go physically or digitally, you will always be watched.

    Our democracy is an illusion. Our private data is up for sale (NHS etc) and any organisation the government chooses, can have access to our internet data.

    Instead of propagating crimes the government is trying to ‘stop’ – e.g dropping bombs on innocents, refusing to decriminalise and legalise certain drugs, which has been proven to work.

    The rich stay rich and the poor stay poor and this is being taken to a whole new plateau with the Tories in power. Agenda galore.

  5. Patrick Cosgrove

    I think a few FOI enquiries twelve months into this will show that it’s produced very little of worth.

    • Bob2002

      The NSA terrorist dragnet notoriously produced almost no results, but this is going to be used on every citizen that comes to the attention of the authorities. This will be most effective against the average man or woman, not a serious criminal or terrorist – who will easily be able to defeat it.

      Every person, where possible, should be using a VPN for personal browsing from now on – this isn’t just about the police and terrorism but other government departments who think they should be allowed to essentially “steam open your mail” for the hell of it.

  6. Chris

    This is a sad day. I already use a VPN for most of my Internet access and will step that up. Orwellian tactics over Internet is just one more area where the government has stripped our civil liberties. Of course you just draw attention to yourself using a VPN provider. What I don’t like is the way the data will almost certainly be miss-used. You can’t provide such a powerful tool and expect those with influence will not abuse it. The icing on the cake is that MPs are excluded.

    This is a disgusting abuse but one we voted in (OK, so not much choice). This sort of decision should be given directly to the public to decide although my faith in democracy has rather dwindled with recent events.

    C.

    • Peter

      I’ve got news for you:
      Out there in the real world no one is bothered….they really are not.
      Yes the 100 or so usual’s are on the web on forums spouting off but for the rest – we really are not interested and nor is anyone I know.
      No, it will not catch the ultra hard liners but for the rest of the stupid criminals…..
      And that includes the regular criminal cases where internet history is part of the case and currently the police have to hope they can extract it the PC.
      It’s going to be far easier to get it at source.

      As to the EU
      Well the EU would have “required” the UK to enact something similar anyway by directive and probably given all authorities access to it and we would not get a vote on it or be able to change it in any shape of form.
      You are on the wrong planet if you think the EU is either “democratic” or has its population “general well being” at their heart.

      I recall the EU was mooting EU wide ID cards which would then be used to ID-logon to any comment site plus of course meaning real name posting. I’ll bet that would go down well!

      If we had a vote on it I vote in favour and also for a ban on VPN’s except on business connections.
      Stick a mandatory 10 year sentence for non compliance should do the trick.

  7. hmm

    so is this across the board ie major isp sky bt etc the cost of this
    what about smaller isps do they have to comply big cost for them

  8. Frank

    I’m not a criminal and I certainly don’t want all my data held on an ISP server for 12 months. How many times have they been hacked in the last couple of years?!

    You might also work in a data sensitive role such as laywer, solicitor, patent attorney etc.

    Did someone mention the law doesn’t apply to MPs? I guess “All animals are equal but some animals are more equal than others”.

  9. Anon Jr

    Aight what about porn sites? If noted by these lot, will it get ya into severe trouble?

IMPORTANT: Javascript must be enabled to post (most browsers do this automatically). On mobile devices you may need to load the page in 'Desktop' mode to comment.


Comments RSS Feed

* Your comment might NOT appear immediately (the site cache re-syncs periodically) *
* Comments that break our rules, spam, troll or post via fake IP/proxy servers may be blocked *
Promotion
Cheapest Superfast ISPs
  • Origin Broadband £23.89 (*31.58)
    Up to 38Mbps, Unlimited
    Gift: None
  • Plusnet £25.00 (*32.98)
    Up to 38Mbps, Unlimited (FUP)
    Gift: None
  • Vodafone £25.00 (*28.00)
    Up to 38Mbps, Unlimited
    Gift: None
  • Hyperoptic £26.00 (*35.00)
    Up to 100Mbps, Unlimited
    Gift: None
  • Pop Telecom £26.99
    Up to 38Mbps, Unlimited
    Gift: None
Prices inc. Line Rental | View All
Poll
*Javascript must be ON to vote*
The Top 20 Category Tags
  1. BT (1879)
  2. Broadband Delivery UK (1305)
  3. FTTC (1197)
  4. FTTP (1197)
  5. Politics (936)
  6. Openreach (909)
  7. Business (827)
  8. Statistics (755)
  9. Fibre Optic (739)
  10. Mobile Broadband (683)
  11. Wireless Internet (619)
  12. Ofcom Regulation (606)
  13. 4G (566)
  14. Virgin Media (559)
  15. FTTH (492)
  16. Sky Broadband (445)
  17. TalkTalk (420)
  18. EE (369)
  19. Security (309)
  20. 3G (268)
New Forum Topics
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Promotion

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms  ,  Privacy and Cookie Policy  ,  Links  ,  Website Rules