Am I the only one still confused by Clause 17 (now Clause 21) of the Counter-Terrorism and Security Bill? This is the clause that will extend the communications data retention provisions of DRIPA to cover so-called IP address resolution. I have been wrestling with it since the beginning of December. The most recent Parliamentary explanations have not lifted the fog.
The second day of the House of Lords Committee stage took place on 26 January. In response to a plea to explain what data might be covered by the clause, the Minister said this:
“The noble Lord, Lord Rosser, asked for examples of access data that may be required. An example is port numbers, which are akin to a house number, where an IP address is akin to a postcode. I know that the noble Baroness, Lady Lane-Fox, could probably give us a tutorial on the technical points; I could probably do with one at some point. Other types of data include the MAC address—the identifier of a particular computer—the time, the location and so on.”
So far, so clear. It’s about port numbers and MAC addresses. The Home Office Fact Sheet and the Impact Assessment suggested the same. But the Minister went on to say:
“Those are the types of data covered by “or other identifier”, and that is set out in the Explanatory Notes which accompany the legislation.”
So according to the Minister a port number is an ‘other identifier’ as defined by Clause 21. But the conundrum is, as I read it Clause 21 does not empower the retention of ‘other identifiers’. It empowers retention of communications data that can assist in associating an “IP address or other identifier” with the sender or recipient of a communication.
Clause 21 empowers the mandatory retention of:
“communications data which … may be used to identify, or assist in identifying, which internet protocol address, or other identifier, belongs to the sender or recipient of a communication (whether or not a person)”
An identifier “means an identifier used to facilitate the transmission of a communication”.
If the clause does (as the Home Office clearly intends) empower mandatory retention of port numbers, it is because they can assist in linking an IP address (or other identifier) simultaneously used by thousands of ISP customers to one customer device or connection – not because a port number is itself an 'other identifier'.
I can see nothing in the clause that provides a power to require port numbers or MAC addresses to be retained on the basis that they are ‘other identifiers’.
This does add spice to the question what is ‘other identifier’ doing in Clause 21 at all, when the issue that gave rise to the clause was about simultaneous IP address sharing? A clear explanation of Clause 21 would be helpful. Even better, the government could start again with a redraft that is specific about what the clause is aiming to achieve.