Data held by ISPs

Paul Brown pol at geekstuff.tv
Tue Dec 23 11:39:14 GMT 2014


Quoting Roland Perry <lists at internetpolicyagency.com>:

> In article <A5423792-2D7C-43A0-8C36-BBD52C9DA885 at batten.eu.org>, Ian  
> Batten <igb at batten.eu.org> writes
>>> I'm not an expert on this subject but I agree that the correct  
>>> route would be a SAR. I would be interested in seeing the detail  
>>> in the logs.
>>> How identifiable would they be in native form? I guess if its  
>>> anything like normal proxy logs they would only log the IP address  
>>> and activity
>>> (poss MAC) in which case they would need to then identify who add  
>>> that IP address and at what time from DHCP logs.
>>
>> In what sense is any of that personal data which would fall under  
>> the Data Protection Act?
>
> IP addresses (of the subscriber) are personal data.
>
> Although it's taken a long time for this to be nailed into law  
> (rather than denied by the MRD brigade).

Surely they're only personal data for the duration of them being  
allocated to that user, otherwise you fall foul of the "?Adequate,  
relevant and not excessive" principle, as the IP address could now be  
associated with another individual.

  Looking at it, I could see the following ISP data

  1) Customer record (Billing/contact) - this is clearly personal data  
and is clearly in scope
  2) Customer correspondence - again, clearly in scope
  3) RADIUS logs - some logs will embed the user name, some will  
simply log that a device connected - there's a query here over whether  
or not this is personally identifying - if what is logged is some  
reference which is directly attributable to the customer record such  
as username or a GUID which is tracked in the customer then I can see  
a reasonable argument for this being personally identifying data,  
however if it's simply tracking the MAC of the device attached to the  
tunnel, then it may not be as customer devices can be swapped around,  
and there's no guarantee that Customer X hasn't sold his router to  
Customer Y. This one really comes down to what additional information  
is available in the log.
  4) IP Flow data - would require a secondary correlation to the  
temporal occupant of any given IP address - I can't personally see  
this being "Personally identifying", however I'm more than sure that  
the IP Landgrab that is the UKs surveillance laws would make a good  
argument on this.
  5) Application log data - for things like e-mail servers, there will  
be a username/password pair that will be allocated to a specific user,  
or an IP address which can again be mapped to the temporal occupant of  
the IP address.

  Many, many years ago I was involved in quite a lot of this for a  
very large ISP and I know we had some rather "Full and frank exchanges  
of views" with various government entities over just *what* would be  
retailed under a mandatory retention order. I have a horrible feeling  
that our viewpoint may have caused the subsequent regulations to  
harden their viewpoints rather a lot.

  P.




More information about the ukcrypto mailing list