Sponsored

Questions about ISP's logging & storing of communication data (based on New Law)

Alfrado

Member
Dear Members.

Thanks for your patience in reading this lengthy post. I am a new member to this website and I was initially attracted by the in-depth coverage of Investigatory Powers Act 2016 by Mark Jackson, then decided to become a firm follower of this very informative community dedicated to digital security and liberty.

At the moment, as you may know, I have been struggling to understand in what ways the ISPs in the UK are currently complying with the new law in practical terms, namely Investigatory Powers Act 2016. At the moment, it seemed like there's a sequence of ongoing legal battles between different NGOs and government with regard to lots of amendment on the new law. It has caused so many confusions on me since I have been always hoping to get a clearer view of this law.

So, after reading tons of pages from the official copy of the law, I had no choice but to seek expertise from you guys. Anyway, here are my core questions wishing to be addressed in an understandable language through your help:

1. ABOUT ICRs

They said ICRs are basically"account reference, a source [Internet Protocol] and port address, a destination IP and port address and a time/date”.

What do they exactly mean, did they only mean the DNS?

They said they would be using such data for investigation in relation to Crime.

There have been scandals lately involved with Facebook who is not doing enough of censoring harmful materials on their platform. Would this mean every innocent Facebook user now would need to face the scrutiny of being suspected as cybercriminal online just because of these ICRs with the irresponsible Facebook?

2. ABOUT Retention Period of Data

According to multiple lines of the various published documents in connection with the Investigatory Powers Act 2016. They said that Data may be retained for a maximum of 12 months.

From what I have learned that my ISP (Three) always keep the communication for a year, but I would be curious to know how long does Virgin keep the data for the purpose of retention before destroying them.

Secondly, I want to know if the period of 12 months IS the absolute maximum length of time that any of these government agencies could process upon on; Or they can just keep filing new retention notices on the same data one 12 months after another 12 months..or even eventually archive the data forever somewhere else?

Does the law say explicitly that no matter the progression of any external intervention, all data to be retained in a secure and confidential manner for 12 months have to be destroyed after this period elapses?
I couldn't the original script from the law itself, but on another source here.

For example, the communication data generated by ISP between Jan - Dec 2017, can only be stored, processed and even investigated within the timeframe of Jan - Dec 2017, they cannot act upon it beyond this period except destroying them.

The reason I asked about the question above was that I wanted to have solid confidence in my ISPs' commitment to removing any of the customers' data once the 12 months period elapses no matter what.

So am I really interpreting the "12 months retention period rule" correctly?

Once again, thanks for your patience in reading this lengthy post and I wish to hear all of your precious answers, guidance and feedbacks. An answer by Mark Jackson will be hugely appreciated.

Many thanks.
 

Mark.J

Administrator
Staff member
ISPreview Team
I think our 2017 article on this is still fairly close, albeit very roughly, to what sort of data is contained within an ICR. I saw the final code for this and from what I could tell it wasn't much different:


The basic ICR data has to be retained for 12 months, after which it can and will be discarded (this is at ISP level - I can't speak to the police side if they access the data within that 12 month period). Crucially this does NOT include the content of your communication, it's just a basic log and I don't think they even track a full URL (only up to the primary domain). If the government wants to see the content / more detail of your activity then they still have to secure a warrant first before ISPs can even start to log that.

I agree that the law has gone through so many changes, and is in some respects still in a state of flux, that it's very difficult to know which way is up. Ideally it would help to hear from an ISP that is actually having to deal with this, but the law kind of limits what they can say about it all.

NOTE: The code also seems to state that some ICRs may contain even less data than our article's example, depending upon the ISP's capabilities.
 

Alfrado

Member
I think our 2017 article on this is still fairly close, albeit very roughly, to what sort of data is contained within an ICR. I saw the final code for this and from what I could tell it wasn't much different:


The basic ICR data has to be retained for 12 months, after which it can and will be discarded (this is at ISP level - I can't speak to the police side if they access the data within that 12 month period). Crucially this does NOT include the content of your communication, it's just a basic log and I don't think they even track a full URL (only up to the primary domain). If the government wants to see the content / more detail of your activity then they still have to secure a warrant first before ISPs can even start to log that.

I agree that the law has gone through so many changes, and is in some respects still in a state of flux, that it's very difficult to know which way is up. Ideally it would help to hear from an ISP that is actually having to deal with this, but the law kind of limits what they can say about it all.

NOTE: The code also seems to state that some ICRs may contain even less data than our article's example, depending upon the ISP's capabilities.
Dear Mark

Thanks your incredible contribution and I am truly grateful for it.

I have read through your article about ICRs and it was incredibly informative. Please if you could keep on reporting the latest development of this new and confusing legislation for us, that would be wonderful for all of us.

Now, I have a very specific question to you with regard to these so-called ICRs and a potential risks.

I did an experiment today by testing some random "keywords" on Google Image or Bing Image Search Engine while using the Wireshark to capture the real-time DNS packet of the traffic.

What I have discovered was deeply worrying. Basically. if you search "Banana" in either of these sits. You would get a long list of random results rooted from across the world wide web.

No matter which image you have clicked for a larger preview (without leaving the Google's search result page") or even just by doing nothing with your mouse cursor.

You would see all kinds of DNS have been generated non-stop, and these DNS are mostly the source servers' URLs/Domains where these images are being hosted on


In other words, you can literally have a huge number of random domains been generated in your ICRs through just conducting a simple search on Google Image Search alone (without even leaving the Google's URL itself)

I have heard about Microsoft's Bing has been accused recently in regard to their image search results contain illegal and harmful materials which were failed to be filtered by the company. This could mean a HUGE risk for any innocent people who might not be aware of their ICRs were exposed to these suspicious DNS where these harmful materials were rooted from.

Is this a legitimate concern? If so, what can we do to safeguard our traces of ICRs? If not, would you mind elaborating on the irrelevance of my experiment in relation to the reality of the law?


I am truly looking forward to your expertise on this! Many thanks!
 

Mark.J

Administrator
Staff member
ISPreview Team
I think an ISP would need to answer that one as I have some idea, but am not confident that my answer would be correct (it's been awhile since I wrote about all this so my memory is no longer as fresh). However the easiest way to mask such activity would be to put the connection behind a good VPN or Proxy Server.
 

Captain_Cretin

ULTIMATE Member
I think an ISP would need to answer that one as I have some idea, but am not confident that my answer would be correct (it's been awhile since I wrote about all this so my memory is no longer as fresh). However the easiest way to mask such activity would be to put the connection behind a good VPN or Proxy Server.
The trouble with that is, you are MAKING yourself look guilty.

@Alfredo, have you tried running that search with something like NoScript blocking all the tracking/suspicious 3rd party cookies??
(although TBF, Google Search homepage only shows 3 Google related scripts, and nothing else on my system)
 

Mark.J

Administrator
Staff member
ISPreview Team
That's nonsense, it does not make somebody "look guilty" of anything by itself. Remote workers are usually required to use a VPN and it's essential when working over hotel/public WiFi networks outside of the home (inc. for VoIP). I'm always using one to help friends/family via remote desktop connections too and they also help to protect you from web-based spyware, as well as to get around geo blocks and country blocks. They can also help to manage (deflect) DDoS attacks. Not to mention protecting freedom of speech in repressive countries.
 

Captain_Cretin

ULTIMATE Member
That's nonsense, it does not make somebody "look guilty" of anything by itself. Remote workers are usually required to use a VPN and it's essential when working over hotel/public WiFi networks outside of the home (inc. for VoIP). I'm always using one to help friends/family via remote desktop connections too and they also help to protect you from web-based spyware, as well as to get around geo blocks and country blocks. They can also help to manage (deflect) DDoS attacks. Not to mention protecting freedom of speech in repressive countries.
Perhaps in an ideal world Mark, and as long as you have a provable and reasonable excuse; but as someone who was accused and arrested "on suspicion of", the rozzers spent more time asking about encryption and secure file deletion programs on my PC than they did about the crime I was accused of; to the extent that 4-5 hours into the interview, I still didnt know who I had been accused of raping.
 

Alfrado

Member
I think an ISP would need to answer that one as I have some idea, but am not confident that my answer would be correct (it's been awhile since I wrote about all this so my memory is no longer as fresh). However the easiest way to mask such activity would be to put the connection behind a good VPN or Proxy Server.
Hi. Thanks very much for your honest answer at this point.
Indeed, it's very very difficult to confirm with regard to any such details at this point. However, please do share more such insights in your news coverage in the future. I believe the users of their services have rights to know about this.

Now, I have the last set of questions wishing to gain your expertise upon, this is in relation to the Commucations Data - Code of Practice published NOV 2018.

Under the section of Retention Period. I was extremely confused by some of the points covered under this part of the booklet:

17.35 Data remained under the Act may be retained for a maximum of 12 months

This part I could understand as this is indeed aligning to the New Law.

17.35 A data retention notice may cover data already in existence at the point at which notice is given or it may require the generation of data.

I don't understand this part, why do they need to issue notice separately again if the default rules being imposed on ISP in relation data retention already took effect for 12 months. If such notice was to be issued, then where is that cut off point in relation to data already in existence?

17.36 The starting point for the retention period for data in existence at the point is determined by the type of data.

This is even more incredibly confusing. Why does it have to be determined by the type of data? How does it apply in the case ICRs? ISP has been already storing data for at least 12 months without being issued a notice, then if a new notice kicked in, then how does that work over the layer of already existed protocol? Another 12 months being added by placing any starting point within that existing 12 months records?

It made my mind exploded. I need your take on this.


Many thanks!
 

boggits

Top Member
17.35 - is about how long you retain data obtained solely for the purposes of the act, if the data is obtained for other reasons (such as billing) then the retention period becomes based on that reasons.

17.36 - not all ISPs are covered by the act, therefore they need to be able to add ISPs into the scope. This section allows for data already being recorded for other purposes to sequestered for the purposes of the act and to stop data being lost and restarted at the point of serving the notice.

ICRs are not in general something an ISP collects, they are a hybrid of data held in two (or more) systems and the reason that legislation is to *make* the ISP collect all the bits in order to present "ICRs" to LEOs
 
Top
Promotion
Cheapest Superfast ISPs
  • Hyperoptic £18.00 (*22.00)
    Avg. Speed 30Mbps, Unlimited
    Gift: Code: SPRING19
  • Vodafone £21.00 (*23.00)
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • TalkTalk £22.50
    Avg. Speed 36Mbps, Unlimited
    Gift: None
  • Direct Save Telecom £22.95 (*29.95)
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • SSE £23.00 (*33.00)
    Avg. Speed 35Mbps, Unlimited (FUP)
    Gift: None
Prices inc. Line Rental | View All
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Promotion
The Top 20 Category Tags
  1. BT (2366)
  2. FTTP (1917)
  3. FTTC (1566)
  4. Broadband Delivery UK (1529)
  5. Politics (1305)
  6. Openreach (1303)
  7. Business (1151)
  8. Statistics (1017)
  9. Mobile Broadband (942)
  10. FTTH (925)
  11. Fibre Optic (924)
  12. Ofcom Regulation (857)
  13. Wireless Internet (851)
  14. 4G (822)
  15. Virgin Media (788)
  16. Sky Broadband (565)
  17. TalkTalk (545)
  18. EE (538)
  19. Vodafone (452)
  20. Security (387)
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms  ,  Privacy and Cookie Policy  ,  Links  ,  Website Rules