The Draft Investigatory Powers Bill has been presented to the House of Commons this afternoon and a revised bill is expected to be presented before Parliament in the Spring of 2016 with its passage expected before the existing legislation expires at the end of next year.
The Home Secretary was keen to highlight that the new bill will not record Internet users' web browsing histories in detail (i.e. they would not record you had visited our speed test page), but rather the websites which users visit (such as 'thinkbroadband'). This would apply to Communications Providers in the UK who have had a Communications Data Retention Notice served on them. This would require such providers to retain Internet Communications Records (ICRs) for twelve months.
The Internet Communications Record (ICR) is a new term and appears to mean that providers would retain what IP address and port number a specific account accessed at a certain time and date. This would allow identification on mobile networks using shared IP addresses of who actually visited which sites. It is not clear how an ICR will identify a particular device or user on services like an open public Wi-Fi network that does not require any authentication, or whether more information will be retained from HTTP headers, such as the user-agent string which can be used tell if a mobile phone or a laptop was used to access a service.
"8 – What will the Bill do?
The draft Bill would require, where necessary and proportionate, the retention of ICRs by UK communications companies that are under a data retention notice, for up to twelve months. Law enforcement would then be able to acquire them on a case-by-case basis, where it was necessary and proportionate to do so in the course of an individual investigation, in order to: identify what device had sent an online communication, establish what online communications services a known individual had accessed or identify whether a known individual had accessed illegal services online.Extract from Investigatory Powers Bill factsheet
The statement in the House of Commons made it clear that Local Authorities will not have access to the data, only the Armed Services, Law Enforcement and Security Services will have access and then it will only be available on a case by case warrant. The aim of the ICR retained for 12 months to be "therefore provide the unique identifier to distinguish between different users of a shared IP address" and is not to allow security services or law enforcement to know what you actually did on any site that you visited.
Until the Bill passes and becomes law one cannot be sure whether all broadband providers, or Wi-Fi hot-spot operators will be subject to a data retention notice, these will be issued by the Secretary of State and providers are able to refer a notice back if an obligation is considered unreasonable and providers are required to keep any data securely and delete it once any retention period has passed.