Draft UK ISP Internet Snooping Law Will Not Log Web Page Addresses

Yesterday’s meeting of the Joint Parliamentary Committee that is responsible for scrutinising the draft Communications Data Bill, which threatens to expand the UK’s existing internet snooping laws and force ISPs into monitoring a bigger slice of everybody’s online activity, appears to have confirmed that the bill will not require full web page addresses (URL) to be logged.

The bills first draft, which was published last month (full summary), is worrying vague on a number of points and not least with its definition of “website addresses“, or lack thereof. At present the existing rules would log the IP (e.g. 85.32.6.87) address of a communication, which could be connected to a domain (e.g. ispreview.co.uk) / website but not individual web pages (full URL addresses).

This is a critical point because web page addresses can easily contain sensitive personal data, such as names and phone numbers (e.g. http://example.com/signup.php?name=bob_riley&phone=12345), which would normally occur as part of a private process but could potentially be logged by an ISPs systems.

Thankfully yesterday’s meeting heard the Director of the Office for Security and Counter-Terrorism, Charles Farr OBE, state that, “comms data will show which website you have accessed” but not “the pages or other aspects of a website” (i.e. no change from the current rules). But take this all with a pinch of salt until we see the final text.

Separately, while watching the proceedings, we also noted that one of the three witnesses (made up of police and security officials), suggested that many ISPs already use Deep Packet Inspection (DPI) technology and these might also be used for data collection as part of the new law. But different DPI systems, such as those used for Traffic Management, do different things and are by no means perfectly designed for what the government has in mind.

Meanwhile Charles Farr also admitted that the bill wouldn’t catch everything, with about 25% of data remaining inaccessible due to encryption and or any other issues that might prevent its collection. Farr suggested that the bill would aim to reduce this figure to 15% by 2018, which seems to assume, perhaps wrongly, that people won’t adapt to circumvent its measures.

Draft Communications Data Bill (PDF)
http://www.official-documents.gov.uk/document/cm83/8359/8359.asp

Joint Parliamentary Committee – Communications Data Bill
http://www.parliament.uk/business/committees/committees-a-z/joint-select/draft-communications-bill/..