Skip Navigation

Draft Investigatory Powers Bill introduced
Wednesday 04 November 2015 15:29:22 by Andrew Ferguson

The Draft Investigatory Powers Bill has been presented to the House of Commons this afternoon and a revised bill is expected to be presented before Parliament in the Spring of 2016 with its passage expected before the existing legislation expires at the end of next year.

The Home Secretary was keen to highlight that the new bill will not record Internet users' web browsing histories in detail (i.e. they would not record you had visited our speed test page), but rather the websites which users visit (such as 'thinkbroadband'). This would apply to Communications Providers in the UK who have had a Communications Data Retention Notice served on them. This would require such providers to retain Internet Communications Records (ICRs) for twelve months.

The Internet Communications Record (ICR) is a new term and appears to mean that providers would retain what IP address and port number a specific account accessed at a certain time and date. This would allow identification on mobile networks using shared IP addresses of who actually visited which sites. It is not clear how an ICR will identify a particular device or user on services like an open public Wi-Fi network that does not require any authentication, or whether more information will be retained from HTTP headers, such as the user-agent string which can be used tell if a mobile phone or a laptop was used to access a service.

"8 – What will the Bill do?

The draft Bill would require, where necessary and proportionate, the retention of ICRs by UK communications companies that are under a data retention notice, for up to twelve months. Law enforcement would then be able to acquire them on a case-by-case basis, where it was necessary and proportionate to do so in the course of an individual investigation, in order to: identify what device had sent an online communication, establish what online communications services a known individual had accessed or identify whether a known individual had accessed illegal services online.

Extract from Investigatory Powers Bill factsheet

The statement in the House of Commons made it clear that Local Authorities will not have access to the data, only the Armed Services, Law Enforcement and Security Services will have access and then it will only be available on a case by case warrant. The aim of the ICR retained for 12 months to be "therefore provide the unique identifier to distinguish between different users of a shared IP address" and is not to allow security services or law enforcement to know what you actually did on any site that you visited.

Until the Bill passes and becomes law one cannot be sure whether all broadband providers, or Wi-Fi hot-spot operators will be subject to a data retention notice, these will be issued by the Secretary of State and providers are able to refer a notice back if an obligation is considered unreasonable and providers are required to keep any data securely and delete it once any retention period has passed.


Posted by keith969 about 1 year ago
This is great. No doubt the ISP's costs will be passed on to their customers...
Posted by AndyS about 1 year ago
"providers are required to keep any data securely" - I'm sure TalkTalk customers will be relieved to hear that. ;)
Posted by AndyS about 1 year ago

I'd imagine that if this gets through then we'll see a change in ISP's T&C allowing them to cancel your contract if you visit too many websites - like they used to do with "unlimited" downloads. Just think how many of these Internet Connection Records a computer running malware or a webbot could generate over the course of a year if left running 24/7.
Posted by keith969 about 1 year ago
@Andy S
It would be interesting to know how they plan to control e.g Skype or WhatsApp. I'm not worried about what websites I view - but use apps like these which are encrypted.
Posted by tommy45 about 1 year ago
It's not just them wanting a record of every web site everyone visits, though that isn't going to be straight forwards, nor should government or even worse local government be given access to that data,unless they can show a valid reason, not just a wild guess that you may of visited a certain web site, maybe one of those terrorist ones ,lol

The other bigger concern is they want to ban encryption that they are unable to decrypt, What has my online transactions or banking got to do with nanny state? NOTHING IS WHAT!!!!!!

Posted by PWilkin about 1 year ago
As per Keith969 , I expect the costs to do this to be met by the ISP's having to charge more. A pity they can't pass the costs back to the Government and then let the government 'deduct' the costs from the relevant departments budget (but we know that won't happen)

All we can hope is that some of the ISP's (and phone providers) take this to the European Court and that a ruling against the high level of privacy invasion is ruled against.

In the mean time VPN usage will no doubt increase
Posted by andrew (Favicon staff member) about 1 year ago
@tommy45 Well they say Local Authorities will not have access to the ICR data.

Posted by daveh75 about 1 year ago
There's a petition calling to reverse the decision
Posted by Spud2003 about 1 year ago

As far as storing logs go weren't ISPs doing that anyway between 2006-2014 under the EU Data Retention Directive?
Posted by Michael_Chare about 1 year ago
Unfortunately I suspect that the recent events above the Sinai peninsula will make it more likley that the bill will be passed.

I hope this does not impose an additional burden on WiFi site operators.
Posted by keith969 about 1 year ago
Yes I see that, but it's not clear if ISPs were forced to store data or whether 'member states' did by intercepting data.

Simple fact is that if you're an ISP and are required to store data, then that means lots of storage and management of it... which costs.
Posted by pfvincent about 1 year ago
You state 'The aim of the ICR retained for 12 months to be "therefore provide the unique identifier to distinguish between different users of a shared IP address"'
How is this possible? I thought that a NAT router, which most users will be using for their home network, hid from the public network which device linked to the local network is the origin/destination of the traffic.
Therefore, how will the ICR record whether I have connected to thinkbroadband, my wife has connected to thinkbroadband, or a visitor who I've given access to my network has connected to thinkbroadband?
You must be logged in to post comments. Click here to login.