» ISP News » 

Leaked: UK Gov’s Technical Requirements for Internet Snooping by ISPs

Friday, May 5th, 2017 (9:49 am) - Score 4,296

A leaked blueprint for the ‘Technical Capability‘ of the Government’s controversial new Investigatory Powers Act 2016, which will force broadband ISPs to log a much bigger slice of your Internet activity, has revealed that the smallest ISPs might escape but encryption is still at risk.

The act aims to introduce a system that would, among many other things, require ISPs to store (for up to 12 months) comparatively detailed Internet Connection Records (e.g. the websites / servers you’ve visited but NOT the content) for all their customers, which would be accessible without a warrant (here). On top of that ISPs will also have to provide access to the content of a communication upon request, although unlike an IRC this would require a warrant.

A preliminary Code of Practice, which was published last year, suggested that an ICR’s “core information” will most likely include the customer’s “account reference, a source [Internet Protocol] and port address, a destination IP and port address and a time/date” (details), but some providers may be expected to collect even more than this.

Simplified Interpretation of an ICR Log

Account ID
Date (Time) Source IP (You)
Destination IP:Port Data Volume URL
1 19/01/2017 (12:01) 800KB omgfakeballz.com
1 19/01/2017 (13:12) 0.2KB ftp.faketest.co.uk
65 19/01/2017 (13:14) 1700KB icanhasyourdata.net

So far the Government has already posted most of their Draft Codes of Practice for the IPAct, although absent from this was any mention of the rules for how ISPs should handle / collect ICRs and that’s because of a recent court ruling, which warned that EU law does not allow “general and indiscriminate retention of traffic data and location data,” except for “targeted” use against “serious crime” (here).

As a result of that ruling the Government’s code of practice for collecting related communications data has been put on hold until they can figure out how to amend the rules.

Meanwhile the Open Rights Group notes that the Home Office has just begun a new consultation on the IPAct’s Technical Capabilities and a blueprint for this has been leaked (here). Prior to this the notice had only been provided to a select few companies (e.g. ISPs).

We should stress that this paper appears related to communications data that would require a ‘warrant‘ (i.e. the content of communications), which is separate to basic ICR collection that doesn’t require a warrant. However the two sides to data snooping are still part of the same broad approach.

The leaked paper doesn’t reveal much, although there are a few interesting highlights. For example, when defining the “relevant operators” the paper states that its obligations “may not be imposed on a relevant telecommunications operator who does not provide, and does not intend to provide, a telecommunications service to more than 10,000 persons.” We don’t yet know for sure if this rule will also apply to ICR collection.

In theory this might allow the smallest of ISPs to avoid some of the rules, although “does not intend to provide” is a tricky one for any growing businesses to interpret (i.e. even a new business may aim to have tens of thousands of people connected, although achieving that is another matter).

Key Points from the Technical Capabilities Notice

* [Telcos must] provide and maintain the capability to carry out the interception of communications or the obtaining of secondary data and disclose anything obtained under the warrant to the person to whom the warrant was addressed, or any person acting on that person’s behalf, within one working day, or such longer period as may be specified in the technical capability notice.

* [Telcos must] provide and maintain the capability to disclose, where practicable, the content of communications or secondary data in an intelligible form and to remove electronic protection applied by or on behalf of the telecommunications operator to the communications or data, or to permit the person to whom the warrant is addressed to remove such electronic protection.

* [Telcos must] provide and maintain the capability to simultaneously intercept, or obtain secondary data from, communications relating to up to 1 in 10,000 of the persons to whom the telecommunications operator provides the telecommunications service to which the communications relate.

* In order that the capability to intercept communications and obtain secondary data may be maintained, to put in place and to maintain arrangements, agreed with the Secretary of State, to notify the Secretary of State, within a reasonable time, of—

(a) proposed changes to telecommunications services or telecommunication systems to which obligations imposed by a technical capability notice relate;
(b) proposed changes, to existing telecommunications services, of a description specified in the notice, and
(c) the development of new telecommunications services.

NOTE: Secondary Data tends to mean additional information, such as the date and time of a meeting etc.

The second point appears to suggest that communications services which use end-to-end encryption (messaging, financial transactions etc.) could still be in trouble and may need to add a backdoor in order to remove encryption when requested (very dangerous to do this from a security perspective). The Government has spent a lot of time flip-flopping over this issue and the notice does at least include the vague “where practicable” get-out clause.

Elsewhere the requirement that ISPs must inform the Government’s Secretary of State about any new systems or service changes, which has always been present in the IPAct, remains an ugly and cumbersome problem for telecoms firms as such systems are constantly being updated, changed and fixed.

In addition, the third point (up to 1 in 10,000 of the persons) appears to set some sort of processing limit for the information gathering, which makes sense because at a certain point the burden for larger providers of needing to provide simultaneous interception of a large number of subscribers could become unworkable.

Apparently the consultation is due to run until 19th May 2017, at least it is for those select few that have received a copy.

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, , Facebook and Linkedin.
Leave a Comment
10 Responses
  1. incompatible-with-ECHR says:

    For example, when defining the “relevant operators” the paper states that its obligations “may not be imposed on a relevant telecommunications operator who does not provide, and does not intend to provide, a telecommunications service to more than 10,000 persons.”

    Does this mean that a “telecommunications operator” is now obligated to confirm with each of their customers how many “persons” will, or could theoretically, use each service which they provide?

    ie its fairly common to see SME’s use consumer broadband packages to provide connectivity to sites with 100+ employees, and thats even before attempting to establish how many ‘persons’ may use wifi that is provided using the same connectivity.

    1. Mark Jackson says:

      I read it as only applying to the size of the primary operator rather than any of its individual connections, although the way you read it may also be valid. Sadly there’s no further context offered to help clarify. You make a good point though as it states “people” rather than customers or connections, tricky.

  2. incompatible-with-ECHR says:

    Its arguably worded such that it appears to only apply to the handful of large, well known, access providers but when required could easily be extended to any/all access providers.. and anyone else who providers them with a service which it could be argued is used in the provision of an access service.

    ie Wholesale IP transit or Dark Fibre providers who may only have a handful of downstream networks as their customers, and have no knowledge or insight of the total number of “people” who may be using the services they provide…

    Sadly it seems more than just possible that the onus will be with the operator to prove that they are not currently, or potential able to, provide “telecommunications service to more than 10,000 person”

    But then again, looking at the original act the scope for who it means to provide a telecommunications service is sufficiently broad that the ISP whom the customer pays for their service is far from the only organisation who may have obligations under the act..


    (10)“Telecommunications operator” means a person who—

    (a)offers or provides a telecommunications service to persons in the United Kingdom, or

    (b)controls or provides a telecommunication system which is (wholly or partly)—

    (i)in the United Kingdom, or

    (ii)controlled from the United Kingdom.

    (11)“Telecommunications service” means any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system (whether or not one provided by the person providing the service).

    (12)For the purposes of subsection (11), the cases in which a service is to be taken to consist in the provision of access to, and of facilities for making use of, a telecommunication system include any case where a service consists in or includes facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system.

    (13)“Telecommunication system” means a system (including the apparatus comprised in it) that exists (whether wholly or partly in the United Kingdom or elsewhere) for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electromagnetic energy.

  3. HMM says:


    1. timeless says:

      thats the Conservatives for you…

    2. alan says:

      NO thats the ALL the major parties in this country for you and the significant vote in favour of the act. That includes Mr Corbyn

    3. Peter says:

      This is nothing
      the EU’s digital commissioner once stated he wanted everyone to log in to all forum, comment etc sites with the real names and ID themselves via their government issued National ID to the sites.

      Last summer as I remember Germany and Franc were calling for EU laws to mandate all internet related companies to be able to de-crypt anything upon government order.

  4. Web Dude says:

    @timeless – I think Labour could have done the same. The security services will say we need access, the politicians will say “Think of the children” but the effects are similar, and it was much the same in 2010 when the Digital Economy Act was rushed through in the “wash up” between announcing the election and dissolution of Parliament, and that Act was drawn up under Labour.

    By the way, I support neither of those parties, but wanted to make the point that much of policy to do with the internet is from out-of-touch top politicians probably told a pack of fibs by their (often highly paid) ‘special advisers’.

    The hundreds of back-bench politicians, those in the Lords, and probably even the bulk of local councillors, are all likely to be out-of-touch with what works and what doesn’t, when it comes to the internet, safety, security, and how law breaking goes on.

  5. Gavin says:

    Scary stuff. Do they not realize just how flawed and wrong most of these laws are? Most of the experts on the matter seem to say that there methods are wrong. Its madness.

    Hang on though, does this mean that ISPs have yet to start recording ICRs etc? I kinda thought that as the bill was approved it would have started by now, but this makes its sound like they are still ironing out the details of what they will gather & how… makes me wonder if they even have the tech to record and store such data on this massive level yet.

  6. timeless says:

    lets face it, these laws have nothing to do with security.. thats just how they get their feet through the doors..

    if anything the internet is a vast untapped resource.. private entities have already proved that there is money to be made in collecting ppls information and where they have been on a small scale, you only need think how much a mass database would be worth to the right private entity (because lm sure the government would decide to sell off the information, especially Tories).

    not to mention, our current government hates dissident against their policies, they have already been trying to move to ban protests and curb unions power, just think how the Tories would use abilities to spy on online activity to keep protest organisers from organising protests? lets face it most things start online as a point of contact through social media and such.. and l wouldnt put it past the government to stop things before they happen.

Comments are closed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Ultrafast ISPs
  • Vodafone £23.50 (*26.50)
    Speed: 100Mbps, Unlimited
    Gift: None
  • Gigaclear £24.00 (*49.00)
    Speed: 300Mbps, Unlimited
    Gift: None
  • Hyperoptic £25.00 (*35.00)
    Speed: 150Mbps, Unlimited
    Gift: Promo Code: ROKUGIFT
  • Community Fibre £27.50 (*32.50)
    Speed: 200Mbps, Unlimited
    Gift: First 6 Months Free
  • Virgin Media £28.00 (*52.00)
    Speed: 108Mbps, Unlimited
    Gift: None
Large Availability | View All
Cheapest Superfast ISPs
  • Vodafone £19.50 (*22.50)
    Speed 38Mbps, Unlimited
    Gift: None
  • NOW £20.00 (*32.00)
    Speed 36Mbps, Unlimited
    Gift: None
  • Hyperoptic £20.00 (*25.00)
    Speed 50Mbps, Unlimited
    Gift: Promo Code: ROKUGIFT
  • TalkTalk £21.00 (*29.95)
    Speed 38Mbps, Unlimited
    Gift: None
  • Shell Energy £21.99 (*30.99)
    Speed 35Mbps, Unlimited
    Gift: None
Large Availability | View All
The Top 20 Category Tags
  1. FTTP (3667)
  2. BT (3044)
  3. Politics (1975)
  4. Building Digital UK (1945)
  5. FTTC (1897)
  6. Openreach (1862)
  7. Business (1717)
  8. Mobile Broadband (1501)
  9. Statistics (1430)
  10. FTTH (1367)
  11. 4G (1295)
  12. Virgin Media (1196)
  13. Fibre Optic (1184)
  14. Wireless Internet (1176)
  15. Ofcom Regulation (1167)
  16. Vodafone (859)
  17. EE (845)
  18. 5G (792)
  19. TalkTalk (781)
  20. Sky Broadband (757)
Helpful ISP Guides and Tips

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact