One of a series of posts on the forthcoming Investigatory
Powers Bill
Previous: Communications Data Retention, Part 2
Retention of weblog data. Perhaps the most contentious and confused
aspect of communications data retention is the debate over so-called weblog
data. Anderson said:
“What is meant by web log in this context has caused some uncertainty, and independent experts to whom I have spoken criticise the term, and those who use it, on the basis of imprecision (as well as the inapplicability of the term to non-web based services).” [9.53]
The confusion around
weblog data is heightened by the fact that the definitional boundaries are
different for mandatory retention under DRIPA, voluntary retention under ATCSA
2001 and access to communications data by public authorities under RIPA.
RIPA drew the original
line between communications data and content.
A machine identifier (such as an IP address or a URL up to the first
slash) was communications data, but a URL after the first slash was
content. As Anderson observes, there are
arbitrary elements to the core definition. So
www.bbc.co.uk is communications data, www.bbc.co.uk/sport is content, but
sport.bbc.co.uk is communications data (Anderson, 9.54, fn 32).
The Home Office seems
to want to extend mandatory retention to include URLs up to the first slash,
but not full URLs. That appears from the definition of weblog data that it
provided to Anderson:
“Weblogs are a record of the interaction that a user of the internet has with other computers connected to the internet. This will include websites visited up to the first ‘/’ of its [url], but not a detailed record of all web pages that a user has accessed. This record will contain times of contacts and the addresses of the other computers or services with which contact occurred.” [9.53]
Weblogs limited in that
way could still, Anderson observes, “reveal, as critics of the proposal point
out, that a user has visited a pornography site, or a site for sufferers of a
particular medical condition, though the Home Office tell me that it is in
practice very difficult to piece together a browsing history.” [9.54]
The Home Office
description of weblog data is also intended to cover data such as destination
IP addresses, DNS server logs, http ‘GET’ messages and IP service use data.
[Anderson 9.54, fn 32] The inclusion of GET messages is odd. A GET message requests a page from the web server. Unless truncated it would be the equivalent of retaining a full URL.
Anderson reports law
enforcement apparently pressing the case for compulsory retention of weblog
data less strongly than to the Joint Committee in 2012:
“In short, it was not submitted to me, as it was in 2012 to the [Joint Committee], that “access to weblogs is essential for a wide range of investigations”. [9.61]
However he added:
“it was clear from my conversations with the most senior officers that law enforcement does want a record to exist of an individual’s interaction with the internet to which it can obtain access. Ultimately it would argue for the retention of web logs, subject to safeguards to be determined by Parliament, if this was identified as the best way to meet its operational needs. But it would expect all avenues to be explored before reaching a final view on the best solution.”
Recommendations of the three
Reviews in relation to weblog data retention are:
ISC
|
No recommendation
|
Anderson
|
Full consideration should be given
to alternative means of achieving those purposes, including existing powers,
and to the categories of data that should be required to be retained, which
should be minimally intrusive. If a sufficiently compelling operational case
has been made out, a rigorous assessment should then be conducted of the lawfulness,
likely effectiveness, intrusiveness and cost of requiring such data to be retained.
No detailed proposal should be put forward until that exercise has been performed.
(Recommendation 15)
|
RUSI
|
No recommendation
|
Given the confusion
over what is and is not weblog data, I have set out in the table below a tentative
analysis (others may have different interpretations and I reserve the right to
change my mind!) of the current position on retention and access to some types
of communications data. References to ‘Schedule’ are to the Schedule annexed to
the Data Retention Regulations 2014 (S.I. 2014/2042) made under DRIPA.
Three points should be
borne in mind when reading the table.
First, a ‘Yes’ answer does not mean that that type of data is
necessarily covered in all circumstances.
It has at least to satisfy the conditions in rows 2 and (for CTSA 2015)
3 of the table. Second, I have given the benefit of the doubt to CTSA’s difficult definition of relevant internet data (set out in row 3). Third, CTSA can only apply
to data that is not already covered by the DRIPA Regulations.
Datatype
|
Mandatory
retention possible under DRIPA?
|
Mandatory
retention possible under CTSA S21?
|
Can
disclosure be required under RIPA Pt I Chapter II?
|
Comment
|
Applies only so far as the data is generated or
processed within UK by a public telecommunications operator in the process of
providing a telecommunications service (DRIPA S. 2(1)).
|
A telecommunications operator can be required to
disclose communications data in its possession and to obtain and disclose it
if not in its possession
|
|||
Applies only to the extent that the data can
identify, identify, or assist in identifying, which IP address or other
identifier belongs to the sender or recipient of a communication
|
||||
At
customer’s ISP
|
||||
Source static IP address
|
Yes (Schedule, 13(1)(b))
|
Yes
|
||
Source dynamic IP address.
|
Yes (Schedule, 13(1)(b))
|
Yes
|
||
Source shared IP address (within ISP e.g. CG-NAT)
|
Yes (Schedule, 13(1)(b))
|
Yes
|
||
Source port number
|
No
|
Yes
|
Yes
|
|
Weblog data: destination IP address
|
No
|
Probably excluded by S.21(3)(c)
|
Yes
|
|
Weblog data: destination URL (up to first ‘/’)
|
No
|
No (excluded by S.21(3)(c))
|
Yes (traffic data within S. 21(6))
|
ATCSA 2001 Voluntary Code provides for retention for
4 days
|
Destination URL (after first ‘/’)
|
No
|
No (excluded by S.21(3)(c))
|
No (excluded by last para of S.21(6))
|
Excluded from ATCSA 2001 Voluntary Code
|
At public
wi-fi point
|
||||
Source MAC address
|
No
|
Yes
|
Yes
|
|
At webmail
provider or other public host
|
DRIPA confirmed webmail as a telecommunications
service
|
|||
IP address allocated by user’s ISP
|
Yes
|
Yes
|
||
Port number allocated by user’s ISP
|
No
|
Yes
|
Yes
|
|
No comments:
Post a Comment
Note: only a member of this blog may post a comment.