nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Small ISPs 'probably' won't receive data retention order following IP Bill

Unless they do...

By Kat Hall, 25 Nov 2016

The government “probably won’t” force internet service providers with no history of working with the intelligence services into retaining internet records following wide-ranging new powers passed in the Investigatory Powers Bill, the Home Office has said.

Last week the Investigatory Powers Bill - dubbed the Snoopers Charter - passed, which will require internet providers to record the websites and apps to which their customers connect. It is due to become law by the end of 2016.

It has been widely criticised by technology companies across the board, including Apple and Google.

Speaking at the Internet Service Providers Association conference, Chris Mills, former IP Bill manager at the Home Office, said: "The important thing is if we are not already talking to you about internet connection records, we probably won’t be."

He claimed the IP Bill was mostly about updating existing legislation and putting it in one place and wasn’t about changing the requirements for industry.

“The one new one power of the bill requires the retention of internet records, but that is about filling a capability gap law enforces have identified.”

He said: "It will not affect every ISP, far from it."

But Chris Beeson, who also worked on the IP Bill at the Home Office, admitted that ISPs not already working with the spooks shouldn’t rule out being approached in the future.

“If we are not in conversation with you already… it is possible law enforcement will put a case [forward],” he said. “[That] does not mean someone will turn up on your doorstep with a retention notice,” adding there will be a "period of negotiation with the Home Office" asking what the ISP will need to do to change its network.

“We will do that in a collaborative way,” he said. He added that there were no "numerical criteria" for deciding whether intelligence could be gained from a particular network, adding that if the police and intelligence services deemed there was, then a judge would decide if the "gains are proportionate" and would then consider serving a notice.

Mills noted that the government provides for "cost recovery" for providers which have to change their networks to comply with the new powers. “So it is not in our interest to ask you to do unreasonable things as we will have to pay for them,” he said - adding that the process would have to be signed off by a judge.

However, ISPs have pointed out that the current wording of the bill does not explicitly state that all costs would be recovered - instead it mentions “appropriate costs” which could be open to interpretation. For a small provider, that would not necessarily include the man hours spent having to update its network.

The science and technology committee has discussed the potential £2bn annual cost of data harvesting on the tech industry.

Asked what duty the provider has to inform their customers of the data retention, Mills said: “There is no obligation to inform customers, in fact it would be unlawful to do so.” He said such a disclosure would incentivise targets to move providers.

Beeson said providers could make a case as to the necessity and proportionality of data retention after collection – which would allow collateral data to be deleted.

"The request would then delete all that stuff, so we don’t end up with all the outlying data being retained.” ®

The Register - Independent news and views for the tech community. Part of Situation Publishing