Sunday, 21 December 2014
Wednesday, 3 December 2014
[Further updated 20 January 2015 to add tweet.]
[Also updated 5 January 2015 with this brief commentary on the Home Office Factsheet:
Page 1: Top Lines
"IP resolution is the ability to identify who in the real world was using an Internet IP address at a given point in time." Data retention at best identifies the device or connection being used and any associated subscriber details. The subscriber is not necessarily the user. Page 2 of the Factsheet is accurate: "This data can help identify who has made a communication, when, where and how." (emphasis added)
Page 1: Background
"However, some IP addresses are shared and allocated dynamically." True, but dynamic allocation is not what Clause 17 is about. Dynamic IP address allocation is sequential temporary allocation of a public IP address to one customer after another. Dynamic IP addresses are already explicitly mentioned in the DRIPA datatypes (Data Retention Regulations 2014, Schedule, Paras 13(1)(b) and 11(3)). It is evident from the diagram on page 3 of the Factsheet that the problem being addressed by Clause 17 is simultaneous sharing of a single public IP address by multiple ISP customers.
Page 3 : Diagram
"At 4pm 2,500 people are using a single IP address on the internet." Exactly. The issue is simultaneous sharing of a single IP address, not dynamic (sequential) allocation of an IP address.
"The e-mail service provider now provides police with IP address and port number used to send the e-mail and accurate time." In order to do this the e-mail service provider in the diagram example will have had to retain IP address, port number and timing data. Will such providers, as well as internet access providers, be subject to mandatory retention?
"Police seek details from internet access provider. Internet access provider now identifies the individual using the unique combination of IP address and port number provided at 4pm." The internet access provider identifies the customer, who may be but is not necessarily the individual who used the device in question.]
Four months after DRIPA and 18 months after putting down a marker in the May 2013 Queen’s Speech, the UK government has embarked on a new round of legislation for mandatory retention of communications data. This time it is under the banner of IP address matching.
- Some ISP and mobile operator systems don’t allocate one public IP address to one customer device or connection, but have many customers sharing an IP address simultaneously. They could be required to retain linking data such as port numbers.
- Even if an ISP retains IP address and (say) port number records, it cannot be sure of identifying a single device or connection unless law enforcement can provide it with a both a port number and an IP address to look up. So a cloud storage or web e-mail provider accessed by the user could also be required to retain logs of linking data visible to it, such as port numbers.
- Operators such as public Wi-Fi hotspots could be required to log MAC addresses.
“IP Resolution: Allow for a power to require communications service providers to retain the data necessary to attribute an IP address to an individual.”
“may be used to identify, or assist in identifying, which internet protocol address, or other identifier, belongs to the sender or recipient of a communication (whether or not a person)”.
This is the most curious part of Clause 17. The problem is surely not identifying which IP address ‘belongs’ to a given sender or recipient of the communication, but identifying which device or connection (of many) was used to make a given communication via a given shared public IP address. Is it drafted the wrong way round?
“… An IP address can often be shared by hundreds of people at once – in order to resolve an IP address to an individual other data ("other identifier" in this clause) would be required.”
“Data necessary for the resolution of IP addresses could include port numbers or MAC (media access control) addresses.”
“For example w[h]ere a user uploads an illicit file to a cloud server that server provider, if subject to a data retention notice, would be required to retain sufficient information to enable the internet access provider to identify the user.”
[My 8 point tweet of points on Clause 17:
1/8 Is it about dynamic (sequential) IP address allocation? No. Already covered in DRIPA and so excluded from Cl 17.— Graham Smith (@cyberleagle) January 20, 2015
2/8 The Home Office Factsheet suggests Cl 17 is about simultaneous use of one public IP address by many customers.— Graham Smith (@cyberleagle) January 20, 2015
3/8 But you'd never guess that from reading Cl 17. What else might it cover? Its vague drafting gives little clue.— Graham Smith (@cyberleagle) January 20, 2015
4/8 The Fact Sheet shows it is meant to cover not just internet access, but cloud/web e-mail providers who generate or process data in UK.— Graham Smith (@cyberleagle) January 20, 2015
5/8 Cl 17 isn't limited to data linking a device or connection to a public IP address. Includes 'other identifiers' as well as IP addresses.— Graham Smith (@cyberleagle) January 20, 2015
6/8 What is an 'other identifier'? A MAC address, said the Minister on 9 Dec. The EN seems to suggest a MAC address is linking data. Both?— Graham Smith (@cyberleagle) January 20, 2015
7/8 'Other identifier' is said to 'future proof' Cl 17 by making it 'technologically neutral'. In a provision sunsetted in Dec 2016?— Graham Smith (@cyberleagle) January 20, 2015
8/8 RIPA was drafted to be technologically neutral. The result was a statute universally acknowledged to be impenetrable. #BeenHereBefore— Graham Smith (@cyberleagle) January 20, 2015
[Updated 4 December 2014 with references to the Home Office Factsheet and minor clarifications and edits. Further update 5 January 2015 with comments on the Home Office Factsheet. Further updated 20 January 2015 to add tweet.]