from the surveillance-magic dept
A key element in the bill is the demand for "internet connection records." The draft bill has a whole section on these "ICRs" which it defines as:
A kind of communications data, an ICR is a record of the internet services a specific device has connected to, such as a website or instant messaging application. It is captured by the company providing access to the internet. Where available, this data may be acquired from CSPs by law enforcement and the security and intelligence agencies.That definition, by itself, seems somewhat self-contradictory, but we'll leave that aside for now. Adrian Kennard, the head of a small UK ISP, Andrews & Arnold, has filed some comments highlighting how technically clueless this idea is:
An ICR is not a person’s full internet browsing history. It is a record of the services that they have connected to, which can provide vital investigative leads. It would not reveal every web page that they visit or anything that they do on that web page.
The explanatory notes, and one of the clauses in the bill, make use of the term “Internet Connection Record”. We are concerned that this creates the impression that an “Internet Connection Record” is a real thing, like a “Call Data Record” in telephony.From there, it goes even further, pointing out that the justification for needing these non-existent ICRs was a statement from UK Home Secretary Theresa May about how useful such info would be in finding a missing girl:
An ICR does not exist - it is not a real thing in the Internet. At best it may be the collection of, or subset of, communications data that is retained by an operator subject to a retention order which has determined on a case by case basis what data the operator shall retain. It will not be the same for all operators and could be very different indeed.
We would like to see the term removed, or at least the vague and nondescript nature of the term made very clear in the bill and explanatory notes.
"Consider the case of a teenage girl going missing. At present we can ask her mobile provider for call records before she went missing which could be invaluable to finding her. But for Internet access, all we get is that the Internet was accessed 300 times. What would be useful would be to know she accessed twitter just before she went missing in the same way as we could see she make a phone call"Except, as Kennard points out, that's not how the internet actually works. You don't "connect" to Twitter like that, because you're constantly connected to Twitter:
...in yesterday’s meeting I, and other ISPA members immediately pointed out the huge flaw in this argument. If the mobile provider was even able to tell that she had used twitter at all (which is not as easy as it sounds), it would show that the phone had been connected to twitter 24 hours a day, and probably Facebook as well. This is because the very nature of messaging and social media applications is that they stay connected so that they can quickly alert you to messages, calls, or amusing cat videos, without any delay.This seems like a rather important point: the people who put together the Snooper's Charter for spying on the internet don't seem to understand the first thing about how the internet actually works. And yet we're supposed to give them sweeping powers to spy on it? How does that make any sense?
It should be noted that it is quite valid for a “connection” of some sort to last a long time. The main protocol used (TCP) can happily have connections for hours, days, months or even years. Some protocols such as SCTP, and MOSH are designed to keep a single connection active indefinitely even with changes to IP addresses at each end and changing the means of connection (mobile, wifi, etc). Given the increasing use of permanent connections on mobile devices, it is easy to see how more and more applications will use such protocols to stay connected - making one “internet connection record” which could even have passed the 12 month time limit by the time it is logged.
Connections are also typically encrypted and have some data passing all the time, so it would not be practical for an ISP, even using deep packet inspection, to indicate that the girl “accessed twitter” right before she vanished, or even at all (just that there is a twitter app on the phone and logged in).