Am I the only one still confused by Clause 17 (now Clause 21) of
the Counter-Terrorism and Security Bill?
This is the clause that will extend the communications data retention
provisions of DRIPA to cover so-called IP address resolution. I have been wrestling with it since the beginning of December.
The most recent Parliamentary explanations have not lifted the fog.
The second day of the House of Lords Committee stage took
place on 26 January. In response to a plea to explain what data might be
covered by the clause, the Minister said this:
“The noble Lord, Lord Rosser,
asked for examples of access data that may be required. An example is port
numbers, which are akin to a house number, where an IP address is akin to a
postcode. I know that the noble Baroness, Lady Lane-Fox, could probably give us
a tutorial on the technical points; I could probably do with one at some point.
Other types of data include the MAC address—the identifier of a particular
computer—the time, the location and so on.”
So far, so clear. It’s about port numbers and MAC
addresses. The Home Office Fact Sheet
and the Impact Assessment suggested the same. But the Minister went on to say:
“Those are the types of data
covered by “or other identifier”, and that is set out in the Explanatory Notes which
accompany the legislation.”
So according to the Minister a port number is an ‘other identifier’
as defined by Clause 21. But the conundrum
is, as I read it Clause 21 does not empower the retention of ‘other
identifiers’. It empowers retention of communications
data that can assist in associating an “IP address or other identifier” with
the sender or recipient of a communication.
Clause 21 empowers the mandatory retention of:
“communications data which … may
be used to identify, or assist in identifying, which internet protocol address,
or other identifier, belongs to the sender or recipient of a communication
(whether or not a person)”
An identifier “means an identifier used to facilitate the
transmission of a communication”.
If the clause does (as the Home Office clearly intends) empower
mandatory retention of port numbers, it is because they can assist in linking
an IP address (or other identifier) simultaneously used by thousands of ISP
customers to one customer device or connection – not because a port number is
itself an 'other identifier'.
I can see nothing in the clause that provides a power to require port numbers or
MAC addresses to be retained on the basis that they are ‘other identifiers’.
This does add spice to the question what is ‘other
identifier’ doing in Clause 21 at all, when the issue that gave rise to the clause was about simultaneous IP address sharing? A clear explanation of Clause 21 would be helpful. Even better,
the government could start again with a redraft that is specific about what the
clause is aiming to achieve.
No, Graham, you are not the only one. There are at least two of us! "Other identifier" could be almost anything, provided it isn't "content". And we all know how easy it is to separate "content" from "communications data", don't we?
ReplyDelete