UK Data Retention and Investigatory Powers Bill

Caspar Bowden (lists) lists at casparbowden.net
Fri Jul 11 14:51:37 BST 2014 

On 07/11/14 15:31, Ian Batten wrote:
> On 10 Jul 2014, at 21:14, Roland Perry <lists at internetpolicyagency.com> wrote:
>
>> In article <CAK0b=2cu=0GrxSXoA8BedTPfseu0dBAv+qBxmOENd+vgYD17Qw at mail.gmail.com>, Tony Naggs <tony.naggs at googlemail.com> writes
>>> I'm not really clear why a law change is required for communications data to be held for 12 months. Probably most businesses will want to hold this data for a year in order to address billing disputes & such
>> Very few ISPs produce itemised bills saying who you emailed and when, or listing which web pages you went to in order to use up your 1GB/month.
> I still don't follow (either technically or legally) on what basis ISPs will be able to retain logs of which websites you visited.

Up until now, I think the 2003 Code of Practice on ATCSA Retention - it 
is still in force

DRIP 1(2)c now provides compulsion, of what was previously "voluntary"

> I thought it was quite clear (and, indeed, that it was Roland who negotiated this with Simon Watkin, late of this parish) that "communications data" only covered the bit up to the first / in the URL, and that in any event that only arose when (as was much more common back then) the ISP had natural access to that data, such as when running an outbound cache (younger readers may like to ask their fathers).

Most ISPs (esp mobile) have kit which will do this now, the only quibble 
is the rationale to switch it on.

The govt can also say any data is necessary for national security and 
disapply DPA Principles backed (only if challenged) by a DPA s.28 cert

> I guess (conspiracy theory alert) that such logs might be generated out of the back of the Cameron-mandated content filters, but for people who are not opted in to those, on what basis would the ISP have the information?

"Malware" or "cybersecurity" usually works.

> And those that are opted in to them, if the ISP were to log the URLs without redacting them at the first /, wouldn't they still fall foul of the DPA because DRIP explicitly only provides cover for retaining RIPA S.21 metadata, and everything after the / is content?

Yes. Art.29 WP did an "inspection" of a mobile and fixed ISP in 2 
countries (not UK) circa 2009, and found gross overcollection, 
especially in mobile ISPs

Did they enforce? Did they ____

Apparently "enforcement" incompatible with "fact-finding" inquiry

CB

More information about the ukcrypto mailing list