Friday, February 24th, 2017 (3:57 pm) - Score 10,271

The Government’s effort to force broadband ISPs into logging a much bigger slice of all your Internet activity, irrespective of whether or not you’re even suspected of a crime, has been partially put on hold as a result of last year’s related ruling from the Court of Justice of the European Union.

The situation centres around the recently introduced Investigatory Powers Act 2016, which among other things proposed to introduce a highly controversial system that would require ISPs to store (for up to 12 months) comparatively detailed Internet Connection Records (e.g. the websites / servers you’ve visited) for all their customers; this would also be accessible without a warrant (here).

A preliminary Code of Practice, which was published last year, suggested that an ICR’s “core information” will most likely include the customer’s “account reference, a source [Internet Protocol] and port address, a destination IP and port address and a time/date” (details), but some providers may be expected to collect even more than this. NOTE: A full interception warrant would still be required in order to obtain the most detailed information (e.g. the content of your communications).

Simplified Interpretation of an ICR Log

Account ID

Date (Time) Source IP (You)

Destination IP:Port Data Volume URL 1 19/01/2017 (12:01) 84.56.232.71 123.45.62.86:80-HTTP 800KB omgfakeballz.com 1 19/01/2017 (13:12) 84.56.232.71 65.123.45.90:21-FTP 0.2KB ftp.faketest.co.uk 65 19/01/2017 (13:14) 84.79.130.47 190.45.62.86:80-HTTP 1700KB icanhasyourdata.net

Many people have criticised the ICR system for its blanket approach to mass state surveillance, which is a significant departure from the much more targeted methods of previous laws. However the IPAct’s status was recently cast into doubt, again, after a ruling by the CJEU warned that EU law does not allow “general and indiscriminate retention of traffic data and location data,” except for “targeted” use against “serious crime” (here).

The case is on-going and until this week we’ve had no clear indication from the Government about its potential impact upon the IPAct, but all that changed yesterday when the Government published their Draft Codes of Practice for the IPAct (these are being consulted upon until 6th April 2017). Absent from the draft was any mention of the rules for how ISPs should handle / collect ICRs and, thanks to Arstechnica, we now know why.

Government Statement: “The European Court of Justice handed down a judgement relating to the UK’s communications data regime in December. The matter must now be considered by the domestic courts and the consultation on the communications data code of practice has been deferred until this has taken place.”

At the very least this will give broadband ISPs and mobile operators a little more time to consider the implications of the IPAct and perhaps a dash of hope that the Government might be forced to water down their legislation, which in a single move has seen the United Kingdom adopt one of the most extreme state surveillance laws of any Western democracy.

Lest we forget that personal privacy is a founding tenant of most democracies because it helps to shield the people, as well as political opponents and journalists etc., from abuse by Governments that hold too much power. Take that protection away and all it takes is one bad leader to screw up the freedoms that so many millions have died to protect.

However it’s worth remembering that even if the Government is forced to water down the law then the future impact of Brexit could conceivably result in mass surveillance being reintroduced further down the road. Mind you the CJEU states that any data being retained must be kept within the EU, which adds another complication. Time will tell. We’re currently awaiting a date for the next round of the court battle.