Internet Connection Records are a new form of communications data created by the Investigatory Powers Bill at Parts 3 and 4. They constitute an unlawful interference with privacy with the ability to provide a highly detailed record of the activities of individuals, profiling their internet habits.
Clause 62 of the Investigatory Powers Bill (“IP Bill”) permits a wide range of public authorities to collect Internet Connection Records, however throughout debates on this highly controversial new power to obtain Internet Connection Records (“ICRs”), the focus has been on the use of ICRs by law enforcement with no consideration how it could be used by the intelligence agencies in combination with bulk powers. As stated by the Government:
“Internet connection records (ICRs) are about updating law enforcement’s use of communications data (CD) for the internet age.”
In light of statements made recently in the review of bulk powers by David Anderson QC (“the Anderson Review”) that there is nothing to prevent future use of bulk acquisition powers in relation to ICRs, there needs to be more focus on the risks associated with how this power could be used by the intelligence agencies.
ICRs remain an unknown quantity. Despite Communication Service Providers (“CSPs”) stating they are unclear on what constitutes an ICR, there have been no amendments to the Bill to address this. Once the Bill becomes law CSPs served with a data retention notice (Part 4 IP Bill) will be required to generate and keep ICRs, whatever the retention notices states they are, for 12 months. The Government offers consolation that to acquire ICRs from the CSPs there is an application process and strict controls. Yet there is neither judicial or other independent authorisation process which conducts a full merits based assessment of the necessity and proportionality of any request[i], when public authorities issue a retention notice, nor when public authorities decide to access communications data held by CSPs, including ICRs.
In addition to the inadequacies on the face of the regime, the Government has failed to explain that ICRs could also be collected in bulk by the intelligence agencies and failed to justify the use of bulk acquisition powers, thus avoiding the cited safeguards in relation to accessing ICRs.
This failure by the Government to frankly admit the potential use by the intelligence agencies has deprived stakeholders and the public of the opportunity to consider whether this use is necessary and proportionate in addition to the vast number of other powers held by the intelligence agencies. Indeed the intelligence agencies themselves previously stated they do not want or need ICRs to keep us safe.
The Intelligence and Security Committee reported that the ICR proposals:
“could be interpreted as being the only way in which Internet Connection records may be obtained. However, this is misleading: the Agencies have told the Committee that they have a range of other capabilities which enable them to obtain equivalent data.”[ii]
If the intelligence agencies do not want or need ICRs then they should be explicitly excluded from requiring their generation and obtaining them via bulk acquisition.
With ICRs not sufficiently defined, exactly what will be created, collected in bulk and ingested into the GCHQ databases, will not be fully know or understood and what constitutes an ICR will evolve in secret.
As Privacy International has learnt, vague surveillance powers are often pushed to the boundaries of interpretation by the Government, adept at semantic gymnastics, with consequences for individuals’ private lives and private data which no one could anticipate.
What are ICRs? a vague, undefined power
Following an amendment to the initial draft of the Investigatory Powers Bill, ICRs are not only a new type of ‘communications data’[iii], but encompass all other forms of ‘relevant communications data’[iv].
Existing legislation governing communications data retention, the Data Retention and Investigatory Powers Act 2014, which is currently in force and will be replaced by the IP Bill, does not require the generation of ICRs by CSPs. The Investigatory Powers Bill represents a huge extension of communications data powers. It provides public authorities with unlimited potential data fields which they can require CSPs to generate and retain.
The Government represents that ICRs “are records of the internet services that have been accessed by a device” and the power to collect them is necessary “to attribute particular action on the internet to an individual person.” It provides, as an example of an ICR, “a record of the fact that a smartphone had accessed a particular social media website at a particular time.”
However, ICRs are also described as flexible[v] in the Bill and the Autumn 2016 draft Code of Practice on Communications Data states ‘there is no single set of data that constitutes an internet connection record, it will depend on the service and service provider concerned’. The Code states that:
“Where a data retention notice is issued requiring a CSP to retain ICR the specific data that an internet access provider may be required to retain will be discussed with the provider before the requirement is imposed.”
ICRs do not naturally exist as a result of the normal work of a CSP. To add to the confusion about what they are, their definition is not technically crafted, meaning that they are not a discreet or defined type of data. Resulting in the clear risk that their meaning is open to interpretation by public authorities at the point they choose to issue a data retention notice.
They would have to be created, a concern repeatedly raised by CSPs. To emphasize this point, CSPs will be compelled to generate data they do not usually hold or process, if they are served with a communications data retention notice that requires this. They are not permitted to disclose publicly the data retention notices preventing debate on what is and is not acceptable data for CSPs to be forced to generate.
The Joint Committee examining the Investigatory Powers Bill expressed concern that the provisions on internet connection records (ICRs) lack clarity. BT stated in its submission to the Joint Committee:
‘ICRs do not currently exist and we [CSPs] do not need them in order to attribute IP addresses to users or for normal business purposes. So, this proposed requirement would mean that CSPs would have to generate and retain data that they currently do not, which represents a significant new development.’
Stakeholders have described ICRs as the internet history of every internet user in the UK. At the very least they comprise a 12-month log of websites visited, communications software used, system updates downloaded, desktop widgets used (e.g. calendars, notes), every mobile app used (e.g. Whatsapp, Signal, Google Maps), and logs of any other device connecting to the internet, such as games consoles, baby monitors, digital cameras and e-book readers. They are comparable to a compilation of call records, postal records, library records, study and research records, social and leisure activity records, location records, and additionally capture concerns about health, sexual and family issues. The Agencies would be able to acquire this intrusive, population level data in bulk under bulk acquisition powers.
In relation to websites visited, these are referred to as ‘web logs’. The Government stated:
“Weblogs are a record of the interaction that a user of the internet has with other computers connected to the internet. This will include websites visited up to the first ‘/’ of its [url], but not a detailed record of all web pages that a user has accessed. This record will contain times of contacts and the addresses of the other computers or services with which contact occurred.”
Anderson expressed deep hesitation about introducing an obligation for CSPs to retain such data. He noted it had not been demonstrated that “access to weblogs is essential for a wide range of investigations” and that even within the law enforcement community, “it is widely accepted…that the compulsory retention of web logs would be potentially intrusive”.
Anderson concluded that while
“retained records of user interaction with the internet (whether or not via web logs) would be useful … that is not enough on its own to justify the introduction of a new obligation on CSPs, particularly one which could be portrayed as potentially very intrusive on their customers’ activities.”
However, undermining the statement that they will only go to the first ‘/’, the code of practice states:
An ICR may consist of: …Those elements of a URL which constitute communications data — this is the web address which is the text you type in the address bar in an internet browser. In most cases this will simply be the domain name — e.g. socialmedia.com
This allows the possibility that in some cases they can go beyond the first ‘/’, to collect even more intrusive browsing histories.
Who is a CSP
Not only it is impossible to assess exactly what an ICR could contain, the definition of a telecommunications operator (i.e. CSP) has been widened thus it is impossible to know who exactly would be required to retain them.
2.5 The definition of a telecommunications operator also includes application and website providers but only insofar as they provide a telecommunication service. For example an online market place may be a telecommunications operator as it provides a connection to an application/website. It may also be a telecommunications operator if and in so far as it provides a messaging service.
2.6 Telecommunications operators may also include those persons who provide services where customers, guests or members of the public are provided with access to communications services that are ancillary to the provision of another service, for example in commercial premises such as hotels or public premises such as airport lounges or public transport.
So what does Anderson’s Review of bulk powers state regarding ICRs?
David Anderson QC reviewed a number of highly controversial bulk powers, including bulk acquisition in his review. He stated that:
2.41 It can safely be said however that:
(a) The existing power and the power in Part 6 Chapter 2 of the Bill both enable the SIA’s to obtain large amounts of communications data, most of it relating to individuals who are unlikely to be of intelligence interest; but that
(b) Content cannot be obtained under either power, and it is not currently envisaged that the bulk acquisition power in the Bill will be used to obtain internet connection records.
Anderson qualified this current interpretation in Footnote 85, which states:
A “Bulk Communications Data” factsheet published with the draft Bill on 4 November 2015 stated “The data does not include internet connection records…”. I am told however that this is no more than a statement of present practice and intention: neither the Bill nor the draft Code of Practice rules out the future use of the bulk acquisition power in relation to ICRs.
Yet in the Government’s operational case for bulk powers, a power only available to the intelligence agencies, there is no mention of ICRs except where it states that bulk capabilities are an additional power to ICRs, rather than including ICRs.
How could ICRs be used?
The intelligence agencies currently use section 84 of the 1984 Telecommunications Act to acquire communications data in bulk. Communications data does not currently include ICRs as the power to require CSPs to create ICRs is one of the new powers that will be introduced by the Investigatory Powers Bill.
As stated in Anderson’s report, bulk communications data may include ICRs in the future.
In relation to bulk acquisition powers, the IP Bill states in Part 6 Clause 159(6) that the power to issue bulk warrants authorizes or requires a person:
(i) To disclose to a person specified in the warrant any communications data which is specified in the warrant and is in the possession of the operator,
(ii) To obtain any communications data specified in the warrant which is not in the possession of the operator but which the operator is capable of obtaining, or
(iii) To disclose to a person specified in the warrant any data obtained as mentioned in sub-paragraph (ii)
CSPs can be compelled to generate ICRs via a data retention notice thus ICRs will be ‘in the possession of the operator’ in order to effect bulk acquisition using clause 159(6)(i) In relation to (ii) that ‘the operator is capable of obtaining’ it is worth noting the existence of technical capability notices. Using these the government can require a CSP to provide a technical capability to give effect to a notice or authorisation to generate or retain an ICR.
’10.2 The Secretary of State may give a relevant CSP a ‘technical capability notice’ imposing on the relevant operator obligations specified in the notice, and requiring the person to take all steps specified in the notice.’
Given the potential costs associated with a technical capability notice and data retention notice, rather than the Government contributing towards these costs, it could force CSP’s to use its own products[vi].
If a CSP refuses to comply the government can bring civil proceedings against them. The CSP is forbidden from disclosing details of a technical capability notice and data retention notices. This means no public information about what Government is forcing companies to do, think Apple v FBI.
Thus using powers in Part 3 and 4 of the Bill, the intelligence agencies can require the creation of communications data that can then be acquired in bulk. At the point they are acquired using bulk acquisition powers, that this data includes the undefined and concerning internet connection records will not be noted. How safeguards and oversight can effectively apply to ICRs in this scenario is a mystery.
We face a situation where CSPs can be compelled to generate forms of communications data they do not hold as part of their standard business practices, at the behest of Government and Government can use technical capability notices to ensure that CSPs have the technical capabilities to generate whatever it is the Government is after. Further the Government can insist on the CSP the Government’s own technology to generate ICRs, if paying for the CSP to develop their own technology is too costly.
Once generated, ICRs can be treated as communications data[vii] for the purpose of bulk acquisition powers used by the intelligence agencies, obtained on a regular basis and merged with other bulk datasets[viii] providing a highly detailed record of the activities of individuals, profiling their internet activities. This is deeply concerning.
As we move towards a world of the internet of things and as technology develops in leaps and bounds, we have to question whether we are comfortable leaving this seemingly unrestrained power on the statue books.
— — — — — — — — — — — —
[i] See concerns about use of judicial review principles in any approval of retention notices by Judicial Commissioners: https://justice.org.uk/wp-content/uploads/2016/04/JUSTICE-Investigatory-Powers-Bill-HC-CS-Briefing-Parts-1-2-FINAL-FOR-CIRCULATION-April-2016.pdf
[ii] Report of the draft Investigatory Powers Bill — The Intelligence and Security Committee, 9 February 2016; Recommendation I (emphasis added).
[iii] An ICR was defined in the initial draft Bill and later amended (shown in underline) to:
63(7) In this Act “internet connection record” means communications data which –
(a) may be used to identify, or assist in identifying, a telecommunications service to which a communication is transmitted by means of a telecommunication system for the purpose of obtaining access to, or running, a computer file or computer program, and
(b) comprises data generated or processed by a telecommunications operator in the process of supplying the telecommunications service to the sender of the communication (whether or not a person).
[iv] In the first draft of the Bill, November 2015, ‘relevant communications data’ at Clause 71(9) listed types of communications data from (a) to (e) included at sub-section (f) an internet connection record as a separate type of communications data. However this Clause was amended and the relevant part now at Clause 88(11) states that all the sub-sections i.e. (a) — (e) ‘include’ internet connection records and subsection (f) has been removed.
[formerly Clause 71(9)(f) and currently Clause 88(11) the strike out indicates what has been removed and underlining what has been added as a result of amendments:
In this Part “relevant communications data” means communications data which may be used to identify, or assist in identifying, any of the following –
(a) the sender or recipient of a communication (whether or not a person),
(b) the time or duration of a communication,
© the type, method or pattern, or fact of communication,
(d) the telecommunication system (or any part of it) from, to or through which, or by means of which, a communication is or may be transmitted,
(e) the location of any such system, or
(f) the internet protocol address, or other identifier, of any apparatus to which a communication is transmitted for the purpose of obtaining access to, or running, a computer file or computer program.
In this subsection “identifier” means an identifier used to facilitate the transmission of a communication.
and this expression therefore includes, in particular, internet connection records. ]
[v] Annex A: Terminology and Definitions — Home Office, in evidence to the Joint Committee on the draft Investigatory Powers Bill, (IP0146), January 2016, p.1
[vi] ’19.21 In certain circumstances it may be more economical for products to be developed centrally rather than CSPs or public authorities creating multiple different systems to achieve the same end…
19.22 Section 226 of the Act provides a power for the Secretary of State to develop compliance systems. This power could be used, for example, to develop consistent systems to be used by CSPs or systems to be used by public authorities to acquire communications data. Such systems can operate in respect of multiple powers under the Act.
[vii] There is an additional confusion that once ICRs have been generated, the Code of Practice states that the application to obtain them will refer to events data:
7.1 … any application that involves the disclosure of ICRs must be authorized as events data.
There is no explanation provided as to why this is the case and the consequences of re-branding ICRs as ‘events data’ are unclear, including for oversight. It is unclear whether this is in relation to all applications for disclosure of ICRs i.e. they would all refer to events data rather than ICRs. This is confusing. Events data is presumably a far more limited type of communications data than the expansive and seemingly unlimited definition of what constitutes an ICR. Either this section of the Code should be deleted or an explanation provided for this clause.
[viii] David Anderson Bulk Powers report
6.21 I understand that GCHQ merges the bulk acquisition data in its possession with bulk interception data, and that GCHQ analysts conducting searches will not necessarily be aware of the source of the information they obtain.
6.43 A GCHQ strategy paper for 2016–19 set out GCHQ’s plans for the development and enhancement of its bulk data capabilities. It appears from that document that bulk acquisition was seen as having significant value to GCHQ, particularly in conjunction with data from other sources.