The draft Investigatory Powers Bill (IPB) has serious implications for Internet Service Providers (ISPs), who could be both obliged to assist the state in surveillance and also adversely affected by other provisions in the Bill, such as new hacking powers.
Earlier this month, President of BT Security, Mark Hughes, Director of Policy at Sky, Adam Kinsley, Director of Operations at Virgin Media, Hugh Woolford, Chair of the Internet Services Providers' Association (ISPA), James Blessing and Managing Director of AAISP, Adrian Kennard all gave evidence to the Joint Committee scrutinising the IPB.1 Here are some of the issues that they raised:
Internet Connection Records are ill-defined
The Investigatory Powers Bill would force ISPs to create and retain even more data about their customers.
ISPs are already obliged to keep certain types of communications data for 12 months under the Data Retention and Investigatory Powers Act (DRIPA). Under the IPB, the data retained would be extended to include “Internet Connection Records”. These are described in the Bill’s explanatory notes as, “a record of the internet services a specific device has connected to, such as a website or instant messaging application”.2 However, the definitions within the Bill itself are much broader and open to interpretation. When asked to rate the clarity of definitions contained in the Bill, on a scale of one to ten, Adam Kinsley of Sky said that the definition of ICRs was, “pretty close to zero” and stressed that further clarification would be needed through codes of practice. James Blessing told the committee that the Bill doesn't spell out, “what information is required to be captured, what format it is to be stored in and how it is to be made available”.
This lack of definition means that it is very difficult for ISPs to know what systems they need to put in place to capture and store the required data. Virgin Media’s Hugh Woolford believes that: “this Bill could potentially look at us, all of us, having to almost mirror our entire network's traffic to enable us to then filter it”.
ICRs need to be created not retained
The explanatory notes to the Bill claim that an ICR is “captured by the company providing access to the Internet”3 but this is not the case. Woolford told the Joint Committee: “This is something that is completely new … from a business point of view, there's no need for us to capture any of this information.” This point was reiterated by Blessing who said: “Internet Connection Records don't exist, they are not a thing, they are not generated in normal business.”
ISPs could be prevented from talking about ICRs
The terms of the Bill means that ISPs would be prevented from discussing orders they receive the Home Secretary. Blessing argued that Internet companies differ from other types of industry because even competitors rely on each other. How each ISP collects ICRs would vary from network to network. If they understood exactly what was expected, they could then discuss the best ways to collect them in an open forum. Preventing them from doing so will affect how effectively they can deliver their services.
The filter carries privacy and security risks
The police and other government departments would use a “filter” that would analyse data to identify what may be of interest. This has been presented as a privacy-enhancing measure that would reduce the amount of data accessed. In practice, it will mean that data mining takes place prior to authorisation and some ISPs appear uncomfortable with this. Virgin Media's Woolford told the Joint Committee: “what we don't want to do is become data analysers of information”.
ICRs fall under the existing, usually internal, authorisations for communications data, which means there is not the supposed “double lock” of judicial authorisation that has been proposed for other surveillance warrants. Adrian Kennard, pointed out to the Joint Committee that allowing third party access to this data increases the risk of it being compromised.
The budget doesn’t add up
As companies don't already create or retain this data, they will need to invest in new systems. BT's Mark Hughes broke down the costs for ICR retention as capital investment, growth in bandwidth and maintenance and storage. Keeping ICRs secure would be a significant part of these costs.
The Home Office has allocated £174.2 million over ten years to cover these costs. However, Hughes, told the Joint Committee that this would effectively cover BT's costs alone. Woolford also indicated that Virgin Media’s expected costs would be tens of millions of pounds. While an obvious concern for companies and their shareholders, customers could see price rises if costs are not fully met by the Home Office’s budget.
Kennard pointed out that the fact that the Home Office have come up with these costs means that that they must have an idea of what exactly it is they want ISPs to generate – so costs should theoretically help with clarification about what ISPs are expected to provide.
Undermining security undermines trust
If ISPs are forced to break encryption in order to respond to Home Office requests for data, there are serious implications for consumer trust. Kennard told the Joint Committee: “if providers are required, even secretly, to remove that protection, then obviously that removes all trust in those providers, if they are offering secure communications services but at any time they could be subject to an order that makes it not secure.” According to Kennard, this could cause companies to avoid being based in the UK and customers to avoid UK companies.
ISPs could be targets themselves
The IPB gives the police hacking powers and the security services bulk hacking powers that would allow them to hack individuals or networks in order to reach targets. As we saw with the GCHQ’s hacking of Belgacom, hacking can have major financial and reputational consequences for affected companies. Woolford, Kinsleigh and Hughes were reluctant to answer the Joint Committee’s questions about bulk hacking powers. However, Hughes did admit that BT was “not OK with anything that undermines the integrity of our network.”
ISPs could be given permission to intercept data
The IPB would also give ISPs permission to intercept communications data for the purpose of filtering content (s33). We believe that could be used, for example, to allow companies to intercept all traffic so they can identify malware or see if it should be blocked by their family friendly filters. It could be used to permit a much wider range of detection and blocking of legal or illegal content, including through ISP terms and conditions. This opens the door for new private enforcement measures beyond the apaprent intention of section 33.
The Government needs to present an operational case
No one would argue that ISPs shouldn't help the police and security services when it comes to tackling serious crime and terrorism. But when we are asking companies to compromise their customers' privacy and security, it should because there is suspicion that a crime has taken place or that serious harm can be prevented.
Many European countries are ending the retention of communications data without any noticeable effect on their ability to prevent and solve crime. No other EU or Commonwealth country forces their ISPs to record Internet histories. Operational cases need to be subject to scrutiny, as they have been in the USA. There, close examination of these cases has resulted in a scaling back of bulk programmes, as the results have been shown to be poor.4 If UK ISPs are to be forced into collecting personal data on an unprecedented scale, the Government needs to present an evidence-based operational case.