» ISP News » 

Problems Remain – Government Publishes Revised ISP Internet Spying Bill

Tuesday, March 1st, 2016 (3:50 pm) - Score 1,573

After receiving strong criticism from three major reports, the Government has today appeared to rush out a revised draft of their controversial Investigatory Powers Bill (IPB), which hopes to force broadband ISPs into logging and monitoring a much bigger slice of your online activity.

In simple terms the bill introduces a number of new powers, such as requiring ISPs to maintain log (Data Retention) of your online activity for up to 12 months (irrespective of whether or not you’ve committed a crime) and then making it easier for approved organisations (police etc.) to access that information.

The first IPBill draft was only published in November 2015 and since then there have been three major reports (here, here and here), all of which have poked big holes in the Government’s arguments and pointed to significant concerns about its cost, the impact upon privacy, the potential weakening of end-to-end encryption services and a lack of adequate safeguards.

All of the three reports, which were only published last month, also noted a lack of detail and a failure to clearly define what an Internet Connection Record (ICR) should constitute; this reflects the data that ISPs will be expected to log and so is very important to get right.

Only a few weeks have passed since those reports were published and yet the Government has today rushed out a revised draft, which claims to make the following broad tweaks.

IPBill Tweaks Statement

* [The Government] responded to the committees’ call for greater clarity by producing a much clearer bill (we have refined technical definitions and are publishing additional material alongside the bill to explain how the powers in the bill will be used and why they are needed).

* [The Government] made the privacy safeguards clearer and stronger (the bill incorporates additional protections for journalists, removing an exemption for the security and intelligence agencies when seeking to identify journalists’ sources and it incorporates statutory protections for lawyers).

* [The Government] will continue to work closely with industry to develop implementation plans for retaining internet connection records in response to recommendations from the Joint Committee and the Science and Technology Committee.

As usual what the Government says and what it produces are still not entirely in balance. For example, the same provisions for attempting to access encrypted communications still exist, but they’ve now added a clause that says this can only be done where it is “practicable” (i.e. end-to-end encrypted communications might be safe from such requests, but it’s not 100% clear).

In other areas the Government has also expanded, rather than scaled back, some of its measures. For example, the bill now allows police to access all web browsing records in specific crime investigations (originally it only focused on illegal websites and communications services specified in the first draft). We’ve summarised just a few of the other tweaks below.

Summary of Several Key IPBill Tweaks

* ISPs will now be permitted (previously they were NOT permitted) to disclose the existence of a data retention notice in specified circumstances, but ONLY with the permission of the Secretary of State.

* The security and intelligence agencies will now have to seek judicial authorisation for acquiring communications data to identify a journalistic source.

* On the cost of implementation the Government said, “it would not be appropriate to commit future Governments to pay the full cost of compliance, as it would limit their discretion on this issue … In practice, the Government has a long-standing position of reimbursing 100% of the costs associated with data retention. There are no current plans to change that policy, which was confirmed by the Home Secretary on the floor of the House of Commons on 21 February 2016.”

* Clause 80 of the Bill provides a route for CSPs to appeal to the Secretary of State should a company consider that the obligation placed on them would incur unreasonable costs. In considering their appeal, the Secretary of State must take advice from the Technical Advisory Board (TAB) on costs and technical feasibility and from the Investigatory Powers Commissioner (IPC) on proportionality.

* The bill will now allow law enforcement to acquire Internet Connection Records (ICR) to identify the internet services that a person or device has accessed that are not related to communications services nor contain illegal material, provided that this is necessary and proportionate for a specific investigation.

* The Government claims to have created a “consistent definition” of what an ICR actually is. The first draft didn’t include any real definition, which left many ISPs to scratch their heads about what data they would be expected to log. We had to dig deep in order to find the definition, but this is what we uncovered:

An ICR may consist of:
1. A customer account reference – this may be an account number or an identifier of the customer’s device or internet connection;
2. The date/time of the start and end of the event or its duration;
3. The source IP address and port;
4. The destination IP address and port – this is the address of the service accessed on the internet and could be considered as equivalent to a dialled telephone number. The port additionally provides an indication of the type of service (for example website, email server, file sharing service, etc.);
5. The volume of data transferred in either, or both, directions;
6. The name of the internet service or server connected to; and
7. Those elements of a URL which constitute communications data – this is the web address which is the text you type in the address bar in an internet browser. In most cases this will simply be the domain name – e.g. socialmedia.com.

We can see a few potential problems with the ICR definition, although the text does state that its “core information” will most likely include just the “account reference, a source [Internet Protocol] and port address, a destination IP and port address and a time/date” (what gets logged is ultimately said to “depend on the service and service provider concerned“).

However there’s still a rather big question mark over how you separate “content” from that which constituents “communications data” in a URL / web address (i.e. a URL can also include names, phone numbers and messages when transmitted via http instead of https). Splitting out this information automatically sounds like an almost impossible filtering process and it would be better if the Government limited it to only domain names, as opposed to using the “in most cases” caveat (see above).

Similarly the request for the “name of the internet service or server connected to” may be challenging, especially when you try to log any connection to a modern website that can result in a convoluted mass of data as most websites call information from several other remote and local servers when you load them (to an ISP this would just be one big mess of IP addresses and requests). The bill does talk about not requiring ISPs to log “third party data“, but the description of how they interpret this is tedious to understand.

Home Secretary, Theresa May, said:

“This is vital legislation and we are determined to get it right. Our proposals have been studied in detail by a Joint Committee of both Houses of Parliament established to provide rigorous scrutiny, and 2 further committees.

The revised Bill we introduced today reflects the majority of the committees’ recommendations – we have strengthened safeguards, enhanced privacy protections and bolstered oversight arrangements – and will now be examined by Parliament before passing into law by the end of 2016. This timetable was agreed by Parliament when we introduced the Data Retention and Investigatory Powers Act in summer 2014.

Terrorists and criminals are operating online and we need to ensure the police and security services can keep pace with the modern world and continue to protect the British public from the many serious threats we face.”

Overall the revised bill is unlikely to silence the Government’s critics and many problems remain, not least with regards to the open question of how much it will all cost (estimates upwards of £175m+ still seem absurdly low) and how long it will take for ISPs to implement a working system (we can’t see smaller ISP achieving this any time soon, but they may only need to cater for the so-called “core information“; see above).

James Blessing, Chair of the UK ISPA, said:

“With the Joint Committee publishing its report a mere nineteen days ago to conclude the pre-legislative parliamentary scrutiny, ISPA is disappointed that the Home Office has moved forward with a revised Bill in such a short space of time. It is widely agreed that a new legislative framework is needed that balances the interests of privacy, security and the impact on the Internet industry.

The Prime Minister himself said that it “is one of the most important Bills that this parliament will pass and it is vital that it is scrutinised and debated properly”, we now hope that Parliament is given sufficient time to properly scrutinise the Bill in order to get a Bill that is proportionate and workable.

Whilst we welcome the publication of further information alongside the revised Bill, including the associated draft codes of practice, the Home Office has pledged a number of changes to the Bill that will require close scrutiny. For example, as more work is undertaken to better understand Internet Connection Records, the powers have been extended, and there are still questions to be answered around the use of technical capability orders and definitions used in the Bill.

With the Bill and numerous supporting documents published today, ISPA will be holding a meeting with members to discuss the Bill in full.”

Jim Killock, Open Rights Group (Executive Director), said:

“The Home Office is treating the British public with contempt if it thinks it’s acceptable to rush a Bill of this magnitude through Parliament. MPs and peers need sufficient time to consider the fundamental threats to our privacy and security posed by the Investigatory Powers Bill. Many have their minds elsewhere, dealing with important decisions about Europe.”

On first reading, the revised Bill barely pays lip service to the concerns raised by the committees that scrutinised the draft Bill. If passed, it would mean that the UK has one of the most draconian surveillance laws of any democracy with mass surveillance powers to monitor every citizen’s browsing history.”

The bill has now gone before parliament and will no doubt receive a fair bit of scrutiny as part of that process, which will probably produce some further changes along the way. The Government will aim for the Bill to pass into law before the end of 2016, which would allow it to replace their existing temporary legislation that runs out at the same time.

The Revised 2016 IPBill

Government Responses to IPBill Committees

IPBill Codes of Practice

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, , Facebook and Linkedin.
Leave a Comment
9 Responses
  1. Mike says:

    Such an evil government…

    1. DanielM says:

      it was labours idea lol. the tories just renamed it

    2. timeless says:

      you but the last labour government was somewhat of a centre right movement if you really think about it.

  2. dragoneast says:

    Just wondering as I haven’t thought this through, but if the ISP’s maintain the logs, then will be courts be able to order access to them at the suit of a third party who suspects say copyright infringement, or indeed anyone who seeks civil damages or an injunction for some wrong where the data may provide evidence? I appreciate they already do this, but presumably on a more restricted data set. Or does the Bill in some way prevent this? Or I suppose, should it, as it’s all for catching wrongdoers!

  3. cyclope says:

    I wouldn’t ever class file sharer’s as wrong doer’s it’s the big corporations that are the crook’s but government are in cahoots with them and their money

  4. Richard says:

    Perhaps it’s time for VPN
    Can anyone suggest a service where you’re safe when file sharing please?

  5. Bizzy says:

    The authorities are already accessing everything via GCHQ. The police already have emergency legislation that supports them, and they are accessing internet information based on suspicions alone.
    I am of the opinion that broad surveillance is not compatible with our western civilization and democracy. Each surveillance should be specific and warranted.
    If we want to broadly track muslim terrorist internet surfers, then this should be done with a specific mandate and its a job for GCHQ or MI5 alone. The police have no proactive rights in this area, nor should they be given any.

  6. cyclope says:

    If this is allowed to happen it will be open to abuse, our details will be sold to whatever private company are willing to pay, Like crapita who supposedly enforce the TV licence if they change the laws on that making previously non live content part of the tv tax crapita will be given access and will be trawling our internet history looking for anything iplayer related that’s what the likes of this un democratic bill will be the start of,

  7. timeless says:

    imho, this isnt about terrorism, this is about extending powers beyond just our front doors, firstly there is the potential for such information to be used by marketing companies.. in fact information would be a marketers wet dream!!! lets face it the Tories sell anything that isnt nailed down and this will be no different.

    then there is the security aspect.. if the government mandate that software has back doors these back doors will be found by hackers and they will be used meaning our internet security will be essentially useless.

    but l believe the most important part of this for the Tories is to quell dissident.. look at it from the perspective that many protests usually start online with a group coming together which leads to an offline gathering, the internet has become an integral tool for communication between many ppl over our country, and if you have the ability to spy on those communications you can stop protests before they happen.. just arrest the organisers and you have no protests.

Comments are closed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Vodafone £19.50 (*22.50)
    Speed 38Mbps, Unlimited
    Gift: None
  • NOW £20.00 (*32.00)
    Speed 36Mbps, Unlimited
    Gift: None
  • Hyperoptic £20.00 (*25.00)
    Speed 50Mbps, Unlimited
    Gift: Promo Code: BIRTHDAY10
  • Shell Energy £21.99 (*30.99)
    Speed 35Mbps, Unlimited
    Gift: None
  • Plusnet £22.00 (*38.20)
    Speed 36Mbps, Unlimited
    Gift: £60 Reward Card
Large Availability | View All
Cheapest Ultrafast ISPs
  • Gigaclear £24.00 (*49.00)
    Speed: 300Mbps, Unlimited
    Gift: None
  • Vodafone £24.00 (*27.00)
    Speed: 100Mbps, Unlimited
    Gift: None
  • Community Fibre £25.00 (*27.50)
    Speed: 200Mbps, Unlimited
    Gift: None
  • Hyperoptic £25.00 (*35.00)
    Speed: 150Mbps, Unlimited
    Gift: Promo Code: BIRTHDAY10
  • Virgin Media £28.00 (*52.00)
    Speed: 108Mbps, Unlimited
    Gift: None
Large Availability | View All
The Top 20 Category Tags
  1. FTTP (3562)
  2. BT (3023)
  3. Politics (1938)
  4. Building Digital UK (1927)
  5. FTTC (1887)
  6. Openreach (1837)
  7. Business (1691)
  8. Mobile Broadband (1480)
  9. Statistics (1409)
  10. FTTH (1365)
  11. 4G (1277)
  12. Fibre Optic (1174)
  13. Virgin Media (1171)
  14. Wireless Internet (1161)
  15. Ofcom Regulation (1149)
  16. Vodafone (846)
  17. EE (834)
  18. 5G (772)
  19. TalkTalk (769)
  20. Sky Broadband (747)
Helpful ISP Guides and Tips

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact