Wednesday, 12 August 2015

The Coming UK Surveillance Debate: Communications Data Retention, Part 3

One of a series of posts on the forthcoming Investigatory Powers Bill


Retention of weblog data. Perhaps the most contentious and confused aspect of communications data retention is the debate over so-called weblog data. Anderson said:
“What is meant by web log in this context has caused some uncertainty, and independent experts to whom I have spoken criticise the term, and those who use it, on the basis of imprecision (as well as the inapplicability of the term to non-web based services).” [9.53]
The confusion around weblog data is heightened by the fact that the definitional boundaries are different for mandatory retention under DRIPA, voluntary retention under ATCSA 2001 and access to communications data by public authorities under RIPA.

RIPA drew the original line between communications data and content.  A machine identifier (such as an IP address or a URL up to the first slash) was communications data, but a URL after the first slash was content.  As Anderson observes, there are arbitrary elements to the core definition.  So www.bbc.co.uk is communications data, www.bbc.co.uk/sport is content, but sport.bbc.co.uk is communications data (Anderson, 9.54, fn 32).

The Home Office seems to want to extend mandatory retention to include URLs up to the first slash, but not full URLs. That appears from the definition of weblog data that it provided to Anderson:
“Weblogs are a record of the interaction that a user of the internet has with other computers connected to the internet. This will include websites visited up to the first ‘/’ of its [url], but not a detailed record of all web pages that a user has accessed. This record will contain times of contacts and the addresses of the other computers or services with which contact occurred.” [9.53]
Weblogs limited in that way could still, Anderson observes, “reveal, as critics of the proposal point out, that a user has visited a pornography site, or a site for sufferers of a particular medical condition, though the Home Office tell me that it is in practice very difficult to piece together a browsing history.” [9.54]

The Home Office description of weblog data is also intended to cover data such as destination IP addresses, DNS server logs, http ‘GET’ messages and IP service use data. [Anderson 9.54, fn 32] The inclusion of GET messages is odd. A GET message requests a page from the web server. Unless truncated it would be the equivalent of retaining a full URL.

Anderson reports law enforcement apparently pressing the case for compulsory retention of weblog data less strongly than to the Joint Committee in 2012:
“In short, it was not submitted to me, as it was in 2012 to the [Joint Committee], that “access to weblogs is essential for a wide range of investigations”. [9.61]
 However he added:
“it was clear from my conversations with the most senior officers that law enforcement does want a record to exist of an individual’s interaction with the internet to which it can obtain access. Ultimately it would argue for the retention of web logs, subject to safeguards to be determined by Parliament, if this was identified as the best way to meet its operational needs. But it would expect all avenues to be explored before reaching a final view on the best solution.” 
Recommendations of the three Reviews in relation to weblog data retention are:
ISC
No recommendation
Anderson
Full consideration should be given to alternative means of achieving those purposes, including existing powers, and to the categories of data that should be required to be retained, which should be minimally intrusive. If a sufficiently compelling operational case has been made out, a rigorous assessment should then be conducted of the lawfulness, likely effectiveness, intrusiveness and cost of requiring such data to be retained. No detailed proposal should be put forward until that exercise has been performed. (Recommendation 15)
RUSI
No recommendation

Given the confusion over what is and is not weblog data, I have set out in the table below a tentative analysis (others may have different interpretations and I reserve the right to change my mind!) of the current position on retention and access to some types of communications data. References to ‘Schedule’ are to the Schedule annexed to the Data Retention Regulations 2014 (S.I. 2014/2042) made under DRIPA.

Three points should be borne in mind when reading the table.  First, a ‘Yes’ answer does not mean that that type of data is necessarily covered in all circumstances.  It has at least to satisfy the conditions in rows 2 and (for CTSA 2015) 3 of the table. Second, I have given the benefit of the doubt to CTSA’s difficult definition of relevant internet data (set out in row 3). Third, CTSA can only apply to data that is not already covered by the DRIPA Regulations.

Datatype
Mandatory retention possible under DRIPA?
Mandatory retention possible under CTSA S21?
Can disclosure be required under RIPA Pt I Chapter II?
Comment

Applies only so far as the data is generated or processed within UK by a public telecommunications operator in the process of providing a telecommunications service (DRIPA S. 2(1)).
A telecommunications operator can be required to disclose communications data in its possession and to obtain and disclose it if not in its possession 



Applies only to the extent that the data can identify, identify, or assist in identifying, which IP address or other identifier belongs to the sender or recipient of a communication


At customer’s ISP




Source static IP address
Yes (Schedule, 13(1)(b))

Yes

Source dynamic IP address.
Yes (Schedule, 13(1)(b))

Yes

Source shared IP address (within ISP e.g. CG-NAT)
Yes (Schedule, 13(1)(b))

Yes

Source port number
No
Yes
Yes

Weblog data: destination IP address
No
Probably excluded by S.21(3)(c)
Yes

Weblog data: destination URL (up to first ‘/’)
No
No (excluded by S.21(3)(c))
Yes (traffic data within S. 21(6))
ATCSA 2001 Voluntary Code provides for retention for 4 days
Destination URL (after first ‘/’)
No
No (excluded by S.21(3)(c))
No (excluded by last para of  S.21(6))
Excluded from ATCSA 2001 Voluntary Code





At public wi-fi point









Source MAC address
No
Yes
Yes






At webmail provider or other public host



DRIPA confirmed webmail as a telecommunications service
IP address allocated by user’s ISP
Yes

Yes

Port number allocated by user’s ISP
No
Yes
Yes



No comments:

Post a Comment