UK Data Retention and Investigatory Powers Bill

Roland Perry lists at internetpolicyagency.com
Fri Jul 11 18:43:44 BST 2014 

In article <E9E7E2EC-7B7F-4AAA-9187-1D3EE097AC85 at batten.eu.org>, Ian 
Batten <igb at batten.eu.org> writes
>>> I'm not really clear why a law change is required for communications data to be held for 12 months. Probably most businesses will want to
>>>hold this data for a year in order to address billing disputes & such
>>
>> Very few ISPs produce itemised bills saying who you emailed and when, or listing which web pages you went to in order to use up your
>>1GB/month.
>
>I still don't follow (either technically or legally) on what basis ISPs will be able to retain logs of which websites you visited.

That's what the UK Data Retention stuff does (various versions of, but 
not the Directive which doesn't address web browsing, only email; and 
some say as a result doesn't address webmail).

>  I thought it was quite clear (and, indeed, that it was Roland who negotiated this with Simon Watkin, late of this parish) that
>"communications data" only covered the bit up to the first / in the URL,

That's the disclosure part, in RIPA tailpiece of 21(6)(d).

And what's in RIPA is only a proxy for "the first /", but the best proxy 
we could come up with in Parliamentary language.

But I expect the CSP will probably be retaining the whole thing, ahead 
of only disclosed what's allowed, but CSPs are welcome to correct me. In 
other words not redacting the logs in real time.

No disrespect to Simon, who was always a very reliable communications 
channel, but the negotiation was with ministers, and the idea was 
Caspar's.

> and that in any event that only arose when (as was much more common back then) the ISP had natural access to that data, such as when running
>an outbound cache (younger readers may like to ask their fathers).

Yes, that's where the logs would originally have arisen, but only for 
very short periods of time. Not even the three/four days that law 
enforcement hoped for (to cover bad things happening over a long 
weekend).

>I guess (conspiracy theory alert) that such logs might be generated out of the back of the Cameron-mandated content filters, but for people who
>are not opted in to those, on what basis would the ISP have the information?

>And those that are opted in to them, if the ISP were to log the URLs without redacting them at the first /, wouldn't they still fall foul of
>the DPA because DRIP explicitly only provides cover for retaining RIPA S.21 metadata, and everything after the / is content?

I'd need to study these points in greater detail before commenting 
(having been out of this arena for many years now).
-- 
Roland Perry

More information about the ukcrypto mailing list