Data held by ISPs
pol at geekstuff.tv
Tue Dec 23 11:39:14 GMT 2014
Quoting Roland Perry <lists at internetpolicyagency.com>:
> In article <A5423792-2D7C-43A0-8C36-BBD52C9DA885 at batten.eu.org>, Ian
> Batten <igb at batten.eu.org> writes
>>> I'm not an expert on this subject but I agree that the correct
>>> route would be a SAR. I would be interested in seeing the detail
>>> in the logs.
>>> How identifiable would they be in native form? I guess if its
>>> anything like normal proxy logs they would only log the IP address
>>> and activity
>>> (poss MAC) in which case they would need to then identify who add
>>> that IP address and at what time from DHCP logs.
>> In what sense is any of that personal data which would fall under
>> the Data Protection Act?
> IP addresses (of the subscriber) are personal data.
> Although it's taken a long time for this to be nailed into law
> (rather than denied by the MRD brigade).
Surely they're only personal data for the duration of them being
allocated to that user, otherwise you fall foul of the "?Adequate,
relevant and not excessive" principle, as the IP address could now be
associated with another individual.
Looking at it, I could see the following ISP data
1) Customer record (Billing/contact) - this is clearly personal data
and is clearly in scope
2) Customer correspondence - again, clearly in scope
3) RADIUS logs - some logs will embed the user name, some will
simply log that a device connected - there's a query here over whether
or not this is personally identifying - if what is logged is some
reference which is directly attributable to the customer record such
as username or a GUID which is tracked in the customer then I can see
a reasonable argument for this being personally identifying data,
however if it's simply tracking the MAC of the device attached to the
tunnel, then it may not be as customer devices can be swapped around,
and there's no guarantee that Customer X hasn't sold his router to
Customer Y. This one really comes down to what additional information
is available in the log.
4) IP Flow data - would require a secondary correlation to the
temporal occupant of any given IP address - I can't personally see
this being "Personally identifying", however I'm more than sure that
the IP Landgrab that is the UKs surveillance laws would make a good
argument on this.
5) Application log data - for things like e-mail servers, there will
be a username/password pair that will be allocated to a specific user,
or an IP address which can again be mapped to the temporal occupant of
the IP address.
Many, many years ago I was involved in quite a lot of this for a
very large ISP and I know we had some rather "Full and frank exchanges
of views" with various government entities over just *what* would be
retailed under a mandatory retention order. I have a horrible feeling
that our viewpoint may have caused the subsequent regulations to
harden their viewpoints rather a lot.
More information about the ukcrypto