Saturday, 5 September 2015

Predicting the UK’s new surveillance law

What will this autumn’s draft Investigatory Powers Bill contain?  We can take a reasonable guess at the outline. Interception powers will get a makeover: at a minimum RIPA has to be rewritten intelligibly and reinforced to comply with human rights norms.  In the post-Snowden climate there may be a little more openness about how law enforcement and agencies use their powers.  We will hear a lot about proportionality, safeguards and oversight. 

Filling in the picture is more difficult.  Three surveillance reviews have reported in the last 6 months and between them have made almost 200 recommendations. As yet there is little indication of which ones the government intends to take up. Some of the recommendations would involve wide consultation before a decision could be taken. Yet time for consultations is running out if the draft Bill is to be put before a Joint Parliamentary Committee for pre-legislative scrutiny this autumn.

Perhaps the greatest uncertainty is around the government’s stated intention to press on with the Communications Data Bill – dubbed the Snoopers’ Charter – which stalled in December 2012 following severe criticism of the draft Bill by an all-party Joint Parliamentary Committee.  The CDB would have significantly expanded the amount and types of communications data that service providers could be required to retain (and, for the first time, be compelled to generate) for access by public authorities. After pressure from the Committee the Home Office identified three particular datatypes that it wanted UK service providers to retain: IP address resolution data, weblog data and third party data (explained below).

Bringing back the CDB is not a simple matter of dusting off the 2012 draft. Retention of some IP address resolution data was implemented earlier this year by the Counter Terrorism and Security Act.  The Anderson report accepted that retention of weblog data would be useful, but went on:
“[I]f any proposal is to be brought forward, a detailed operational case needs to be made out, and a rigorous assessment conducted of the lawfulness, likely effectiveness, intrusiveness and cost of requiring such data to be retained.”
For third party data Anderson said:
“There should be no question of progressing proposals for the compulsory retention of third party data before a compelling operational case for it has been made out (as it has not been to date) and the legal and technical issues have been fully bottomed out.”
If those recommendations are heeded, that leaves only compulsory generation of data and possibly the ‘request filter’ (see below) that could be brought forward without first making a new case for them. In any event the Anderson report contains hints that law enforcement themselves may not now be pushing so strongly for some of the most ambitious and expensive parts of the CDB. On the CDB generally Anderson comments that “law enforcement itself wishes to reserve its detailed position on these proposals pending further discussions with a Government that has a political mandate to take it forward.” [9.67]

Nor could the government reintroduce unchanged the controversial Ministerial order-making power in Clause 1 of the CDB, described by Anderson as “excessively broad”. The power was at the heart of the CDB and was intended to future-proof the legislation.  It would also have served to keep from public sight operational details of what data was being retained. The Home Office told the Joint Committee in 2012 that it would review the approach in Clause 1:  “We did receive from Mr Farr the important undertaking that Home Office officials would look at clause 1 again, and advise Ministers on whether it can be changed, enhanced or improved.”

A revised draft Communications Data Bill does exist within the Home Office. Anderson reports that:
“The Home Office sought to take the recommendations of the JCDCDB into account and produced a pared-down draft Bill in early 2013, which I have been shown. … Though I asked Ministers in late 2014 for permission to show the draft Bill (or at least a summary of it) to CSPs with whom I discussed the issues … that permission was not forthcoming. It became clear that in the absence of unified political will to progress the proposals, there has been little discussion of them with important stakeholders.”
Add into the mix the Snowden fallout (the Chair of the CDB Joint Committee was unamused to find that it had not been ‘even given any hint’ of the existence of PRISM and TEMPORA), suggestions that the technological systems proposed in the CDB are no longer as relevant or appropriate as they seemed in 2012 (Anderson para 14.29) and a clutch of recent court decisions that, among other things, have invalidated (suspended until March 2016) the existing communications data retention regime under DRIPA (the Data Retention and Investigatory Powers Act 2014) and we have a crystal ball that is cloudy in the extreme. 

Despite all of this, we can take a shot at predicting some of what may be in the new draft Investigatory Powers Bill. (For a more comprehensive survey of the coming debate see here.)

GCHQ’s bulk interception warrant

What is it? The bulk interception warrant under Section 8(4)of RIPA. These warrants authorise GCHQ’s TEMPORA programme of tapping into transatlantic fibre optic cables, one of the most significant Snowden disclosures.  According to the Snowden documents back in 2012 TEMPORA processed some 40 billion items a day.

Section 8(4) is primarily a foreign investigatory tool, but has significant domestic overlap.  While it focuses on capturing external communications (at least one end outside the British Islands), those communications are mixed up in the cable with wholly internal communications (both ends within the British Islands). In that situation Section 8(4) allows internal communications to be collaterally swept up into a common pool. The stream of data is filtered down by computers.  GCHQ’s analysts can then track communications of known suspects, search for suspicious material or try to join the dots of communications data to identify unknown suspects

GCHQ’s computers and analysts cannot trawl indiscriminately in the pool of external and internal communications. RIPA Section 16 is their fishing permit. It specifies what they can fish for and some types of hooks that they cannot use.  They may examine intercepted messages only within broad categories certified by the Minister. Without special authorisation the analysts cannot search by content for communications of people known to be within the British Islands at the time. However these constraints do not apply to communications data captured along with the intercepted communications. 

For: Regarded as a valuable tool for tracking the communications of known suspects and identifying previously unknown threats.

Against: General warrants went out with John Wilkes, yet Section 8(4) has the vice of the general warrant: collect in bulk first, then use the intercepted material to form suspicions. By contrast a targeted warrant is (or should be) justified only when there are pre-existing grounds for suspicion. There are also many specific criticisms of the bulk warrant system including the opaqueness of the drafting of RIPA Section 16, the relative absence of controls over searching and analysing captured communications data, the unworkability of the external/internal communications distinction and the ability of the Minister to authorise a search in the pool for the communications of someone known to be within the British Islands.

Status: None of the reviews has recommended abolition of bulk warrants.  Anderson has recommended several changes, including that each warrant should be much more specific in its objectives.  He has also recommended a standalone bulk communications data warrant, to be used where interception of content is not necessary.

Prediction: Bulk warrantry powers to stay, perhaps significantly modified.

Watch out for: Greater clarity of powers; public avowal of how they are used; specific objectives for warrants; tighter constraints on searching for communications of persons within British Islands; a framework for searching captured communications data; a standalone communications data warrant (perhaps including content-derived communications data); prior judicial or quasi-judicial authorisation; tighter limits on who can apply for a bulk warrant. 

More on bulk interception warrants here.

Broad Ministerial powers

What is it? A wide statutory power in Clause 1 of the draft CDB allowing Secretary of State to make regulations under which she could give notices to CSPs to generate, obtain and disclose communications data and to install designated equipment for that purpose.

For: Future proofing.

Against: Future proofing is inappropriate where intrusive powers are concerned due to unknown consequences. Legislative powers and actual capabilities should be aligned. Overly broad powers breed suspicion. If the real substance is buried two layers down in secret notices to CSPs then neither MPs nor the public can properly understand what is being voted on. An extended designated equipment power (the current RIPA power applies only to interception capability) smacks of surveillance by design, especially in conjunction with the power to compel communications data generation.

Status: Home Office told the Joint CDB Committee that it would look again at Clause 1.

Prediction: Increased specificity, but government will still want a method of future-proofing.

Watch out for: A guessing game to work out how the powers are intended to be used. Or will the government heed the ISC and Anderson’s recommendations that all intrusive capabilities should be publicly avowed?

More on future-proofing here.

Browsing histories

What is it? Extension of current data retention powers so as to require storage of browsing histories (alias weblog data). This was one of the most contentious aspects of the draft Communications Data Bill. It is like keeping a list, which the authorities could demand to inspect, of all the books, newspapers and magazines that you have read in the last year.  Weblog data probably excludes web addresses (URLs) ‘after the first slash’. That is like listing a book, but not every page within it.

For: a step towards providing law enforcement authorities, security agencies and other public authorities with perfect visibility of anyone’s internet activity

Against: a step towards providing law enforcement authorities, security agencies and other public authorities with perfect visibility of anyone’s internet activity

Status: A centrepiece of the original draft Communications Data Bill. Anderson wants a detailed operational case to be made out, and a rigorous assessment conducted of the lawfulness, likely effectiveness, intrusiveness and cost of requiring such data to be retained.

Prediction: Bank on this one coming back in some form.

Watch out for: Ambiguity and unintelligibility of datatypes: accurate, clear explanations of the datatypes to be retained are essential if an informed debate is to take place. Will a new case be made? Will there be prior consultation separate from the pre-legislative Parliamentary scrutiny? Will it be limited to law enforcement and service providers or will the wider public and NGOs be consulted? How will invalidation of the existing data retention powers in DRIPA be addressed?

More on weblog data retention here.

Digital footprints

What is it? Retention of the geolocation data that, thanks to our smartphones and tablets, we leave like a breadcrumb trail behind us.  The Annex to the CDB Explanatory Note explained that Communications data “includes information identifying the location of equipment when a communication is or has been made or received (such as the location of a mobile phone)”. A phone call, text, software update, e-mail check, news feed update, an app checking in to its provider are all communications and they happen all the time. Each could have precise GPS or Wi-Fi location data associated with it. 

For: The ability to access a minute by minute map of our lives is useful to law enforcement.

Against: Not much different from the authorities putting a tracking bug on every one of us.

Status: The voluntary ATCSA Retention Code, which dates from 2003, specifies retention of location data for phone calls (12 months) and text messages (6 months), in latitude/longitude form.  DRIPA includes the mobile phone cell ID at the start of the communication (up to 12 months). Location data was in scope of the Secretary of State’s powers to direct retention under the draft CDB. The current German draft data retention Bill would require location data to be kept for 4 weeks.

Prediction: Probable.

Watch out for: This could get lost in the detail.

Data generation by decree

What is it? The Home Office would be able to order CSPs to generate communications data for the benefit of the authorities.  At the moment CSPs can only be made to retain data that they already generate or process in the UK. Think about that list of books, newspapers and magazines in the weblog data section (above). You don’t ordinarily keep a list? This is like compelling you to make one.

For: Law enforcement want the records to be made.

Against: Crosses a line into surveillance by design: requiring systems to be designed for benefit of the authorities. Could be used to require e.g. public wi-fi providers to collect name and address information from users.

Status: Proposed in the draft Communications Data Bill. Not yet implemented. Surprisingly little attention was paid in the three reviews to this significant extension of existing powers. 

Prediction: Data generation to reappear.

Watch out for: Will there be a lot of noise about it?

More on compelled data generation here.

Boundary between communications data and content

What is it? On the one side we have email addresses, user IDs, IP addresses, domains, and the like.  On the other side content (including URLs beyond the first slash). Public authorities have far readier access to communications data than to content.  There are also sub-divisions of communications data (traffic data, service use data, subscriber data) that under RIPA affect the conduct that is classified as interception. The powers of public authorities to demand access to communications data vary depending on the type of communications data.

Privacy advocates question the historic assumption that content is necessarily more sensitive than communications data. Changes to the dividing line would have an impact on the data that the authorities could request and a knock-on effect on the scope of communications data retention.  

Status: Anderson recommended that the boundary (including sub-divisions) should be reviewed, with input from all interested parties including service providers, technical experts and NGOs. The Intelligence and Security Committee suggested an intermediate category of ‘communications data plus’ and that content-derived information should continue to be regarded as content.

Prediction: Government will continue to maintain that communications data is less sensitive than content. Possible clarification of the boundary in areas of uncertainty such as social media and revision of communications data categories.

Watch out for: Full consultation? A definition of content? Treatment of content-derived communications data.

More on the content/communications data boundary here.

Third party data collection

What is it? A scheme that would enable the Home Office to require CSPs to collect and retain communications data from foreign services transiting their pipes.  This was part of the CDB.

For: A way of giving the authorities access to communications data that they can’t collect from overseas providers.

Against: Expensive, utility unclear.

Status: As well as demanding that a compelling operational case be made out before any proposals are progressed (see above), Anderson hints that law enforcement may be less keen than they were in 2012: “Law enforcement is also conscious that the proposal of third party data retention was a particularly expensive one, and that its utility will be peculiarly susceptible to technological developments. It may therefore be that this aspect of the Communications Data Bill is no longer judged to be the priority that it once was, even within the law enforcement community.” [9.64]

Prediction:  Anyone's guess.

Watch out for: Lack of clarity over any proposed powers; dividing line between content and communications data.

More on third party data collection here.

Request filter

What is it? A plan for a system enabling authorities to search across communications  data collections retained by multiple CSPs.  Another part of the CDB.

For: said to be less intrusive by focusing searches

Against: Federated search implies storing detailed profiles to link the databases together (CDB Joint Committee [114]).

Status: Anderson: “The Communications Data Bill contained provision for the retention of third-party data and for a request filter. Law enforcement still endorse the operational requirements which those provisions were meant to address, but want to engage further with industry on the best ways of meeting them.”

Prediction:  Anyone’s guess.

Watch out for: Clarity of technical proposal; consultation?

More on request filter here.

Judicial authorisation

What is it? Interception warrants in the UK are authorised by a Minister, not by an independent judicial or quasi-judicial body.  This has always been a bone of contention for civil liberties advocates.  Most demands to access communications data are authorised internally by the requesting authorities themselves.

For: The principle of the matter. The UK is out of step with most other liberal democracies. Internet and tech companies based in the USA may be more comfortable co-operating with judicial warrants.

Against: Ministers are in a better position to judge the political implications of issuing a sensitive warrant. They are politically accountable for their actions.

Status: Up in the air.  Anderson has recommended a new Judicial Commission to take over authorising interception warrants. RUSI has recommended a more limited scheme. The judgment in the Davis/Watson judicial review of DRIPA has said (subject to appeal) that the CJEU DRI decision means that there must be prior independent authorisation of requests for mandatorily retained communications data. It could be said that the same should apply to interception warrants.

Prediction: In the balance. The government may prefer to retain Ministerial control over warrants. But if it wants the new interception warrants regime to be legally bullet proof, the prudent course would be to go with a scheme for judicial or quasi-judicial approval of interception warrants.  Separately it has to decide how to deal with the regime for communications data demands following the Davis/Watson decision.

Watch out for:  Concentration on this issue to the detriment of others. It is important, but the scope and reach of powers is critical.

Wednesday, 12 August 2015

The Coming UK Surveillance Debate

This is a series of 13 posts about the forthcoming Investigatory Powers Bill, due to be published in draft this autumn for pre-legislative scrutiny by a Joint Committee of Parliament.

The Bill will replace a variety of statutes governing interception, mandatory communications data retention and communications data acquisition by public authorities. In particular it will supersede the Data Retention and Investigatory Powers Act 2014 (DRIPA) and parts of the Regulation of Investigatory Powers Act 2000 (RIPA).

  1. Red Lines and no-go zones
  2. Legal and policy origins
  3. Bulk interception, Part 1 (External communications)
  4. Bulk interception, Part 2 (The Section 8(4) certificate)
  5. Bulk interception, Part 3 (Selection of intercepted material for examination)
  6. Targeted interception (Reasonable suspicion, Thematic warrants, Ban on disclosure)
  7. Extraterritoriality, Transparency and Data sharing
  8. Communications Data Retention, Part 1 (Content/communications data boundary, Compelled data generation)
  9. Communications Data Retention, Part 2 (Third party data collection, Request filter)
  10. Communications Data Retention, Part 3 (Retention of weblog data)
  11. Communications Data Retention, Part 4 (Mandatory data retention purposes, Prior independent authorisation)
  12. Communications Data Acquisition
  13. Future-proofing
Other Cyberleagle posts on related themes include:

Key reference documents for the forthcoming Bill:

Privacy and Security: A modern and transparent legal framework (Intelligence and Security Committee of Parliament, March 2015)
A Question of Trust (David Anderson Q.C.'s report on Investigatory Powers, June 2015)
A Democratic Licence to Operate (RUSI Independent Surveillance Review, July 2015)

My own submission to the Anderson Review is here.

The Coming UK Surveillance Debate: Future-proofing

The last in a series of posts on the forthcoming Investigatory Powers Bill

RIPA was future-proofed by writing it in such abstract technology-neutral terms that, combined with some fiendishly tortuous drafting, anyone not in the know had little chance of twigging what it was actually designed to do.

The draft Communications Data Bill took a different approach, building in flexibility to accommodate future technological innovation by granting broad order-making powers to the Secretary of State orders that themselves would contain little detail.  This went down very badly with the Parliamentary Joint Committee that scrutinised it:
We have not seen a draft of such an order, and we have been told that we will not be shown one. But it is clear that the order will only be a framework. The specific requirements will be imposed by secret notices by the Secretary of State.
The Committee went on:
Given the wide anxiety raised by the breadth of clause 1, we pressed the Home Office officials as to why it could not be narrowed to cover only the gaps which currently needed to be filled. Mr Farrs answer was:

The fundamental reason why we are nervous about limiting clause 1 is future-proofing ... Because I genuinely believe that no sooner will you get this legislation through than something else will come up, given the pace of change in the communications industry, which will create another gap, particularly if clever people know that we have filled one area, and so now try to exploit another. Future-proofing and flexibility are at the heart of the language we have used in clause 1.
... We did receive from Mr Farr the important undertaking that Home Office officials would look at clause 1 again, and advise Ministers on whether it can be changed, enhanced or improved. We believe that it can indeed be changed and improved, by being narrowed to cover specifically the gaps so far identified. An undertaking, whether by officials or by ministers, that a power will be used only to a limited extent, is of little value. Once a power is on the statute book, it is available to be used, and also to be misused or abused, at any time in the future. It is hardly surprising that a proposal for powers of this width has caused public anxiety.
The Anderson Report described Clause 1 as an excessively broad power.  (14.24)

A similar criticism can be levelled at the data retention powers under DRIPA, which are exercisable by notice from the Secretary of State to public telecommunications providers. The government treats the notices as secret and has declined to reveal any details about them, even to the court that heard the DRIPA judicial review, on grounds that to do so would prejudice national security.

At least under DRIPA the specific datatypes that can be ordered to be retained are listed, albeit there has been a move towards more generality (and concomitant obscurity) in the amendment made by the Counter-Terrorism and Security Act 2015 to cover IP address resolution data.

Although technological neutrality and future proofing are admirable in many contexts, they can be positively dangerous in the field of invasive powers where all manner of unanticipated activity may inappropriately fall into scope in the future. When powers intrude on fundamental rights of privacy and freedom of expression it may be more important that Parliament and the public have a clear understanding of what is being authorised than that the legislation be future proof. (This broadly corresponds to the suggestion recorded at 12.96(d) in the Anderson report). If legislation goes out of date, in an area of this sensitivity Parliament ought not to begrudge its time spent scrutinising any further proposal for new, extended or reduced powers.

The Coming UK Surveillance Debate: Communications Data Acquisition

One of a series of posts on the forthcoming Investigatory Powers Bill

The boundary between communications data and content is likely to be revisited

One area where the government might look at the possibility of reining back powers is a reduction in the number of public authorities who are able to access communications data and for what purposes.  That is in any event likely to be affected by the restriction on purposes for which mandatorily retained data may be accessed following the DRIPA judicial review judgment (subject to any appeal).

Professional and journalistic privilege should be addressed more robustly than by the current Code of Practice guidance, with at least the promised implementation of the Interception Commissioner’s recommendation for the introduction of judicial authorisation for demands aimed at identifying journalists’ sources. The DRIPA judicial review judgment may result in a broader requirement for judicial or other independent authorisation in any event, at least for mandatorily retained data.

There is room for more stringent constraints on the quantities of data covered by a single authorisation or notice. At the moment a notice could cover communications made from an e-mail address over an hour or two or over a year or more.  There are no limits other than the duty on those involved to satisfy themselves of the proportionality of the demand. Thus the Acquisition of Communications Data Code of Practice states:
“3.54. Designated persons should specify the shortest possible period of time for any authorisation or notice. To do otherwise would impact on the proportionality of the authorisation or notice and impose an unnecessary burden upon the relevant CSP(s).”
Some selected recommendations from many in the Anderson report (which was published before the judgment in the DRIPA judicial review):
Public authorities with relevant criminal enforcement powers should in principle be able to acquire communications data. It should not be assumed that the public interest is served by reducing the number of bodies with such powers, unless there are bodies which have no use for them. There should be a mechanism for removing public authorities (or categories of public authorities) which no longer need the powers, and for adding those which need them. (Recommendation 50)

The requirement in RIPA 2000 ss23A-B of judicial approval by a magistrate or sheriff for local authority requests for communications data should be abandoned. Approvals should be granted, after consultation with NAFN, by a DP of appropriate seniority within the requesting public authority. (Recommendation 66)

In recognition of the capacity of modern communications data to produce insights of a highly personal nature, where a novel or contentious request for communications data is made, the DP should refer the matter to ISIC for a Judicial Commissioner to decide whether to authorise the request. (Recommendation 70)

The Coming UK Surveillance Debate: Communications Data Retention, Part 4

One of a series of posts on the forthcoming Investigatory Powers Bill

Mandatory data retention purposes. The July 2015 High Court decision in the Davis/Watson judicial review of DRIPA followed the CJEU DigitalRights Ireland case in April 2014, which invalidated the EU Data Retention Directive.  In July 2014, three months later, the UK government rushed DRIPA through Parliament in a few days as emergency legislation, replacing the previous secondary legislation which, since it implemented the now invalid Directive, was itself vulnerable to challenge.

The government did not claim at the time that DRIPA addressed every aspect of DRI. DRIPA made some accommodations, for instance enabling data retention notices served on communications service providers to specify different periods up to 12 months for retention of different classes of data.  However the government could not rely in the court case on the newly flexible time period.  Since it declined to give any details of DRIPA notices given to CSPs, the court had to assume that any notices that may have been given required retention for the full 12 months.

The CJEU in DRI set out a list of reasons why the Data Retention Directive did not comply with the Charter.  However it left room for doubt as to whether every ground was a self-standing reason for invalidity, or whether only the cumulative list as a whole justified invalidating the Directive.  The High Court had to grapple with this issue and decide which grounds, if any, were meant to be independent conditions for Charter compliance.

It decided that three requirements were stated with such emphasis as to be intended to be self-standing:

-           the legislation must lay down clear and precise rules governing the scope and application of the measure; and imposing minimum safeguards sufficient to give effective protection against the risk of abuse and against any unlawful access to and use of the data (paragraphs 52 and 54);

-           access to and use of data retained under a general retention regime must be strictly restricted to the purpose of preventing and detecting precisely defined serious offences or of conducting criminal prosecutions relating to such offences (paragraph 61);

-           "Above all", access must be dependent on a prior review by a court or an independent administrative body whose decision seeks to limit access to the data and their use to what is strictly necessary for the purpose of attaining the objective pursued, and which intervenes following a reasoned request of those authorities (paragraph 62).

Following this judgment (subject to appeal) there is now a question mark over the purposes for which mandatorily retained communications data may be accessed, even if the government can devise an otherwise EU Charter-compliant retention regime. 

While Article 15(1) of the EU Privacy and Data Retention Directive mentions national security as well as investigation of criminal offences as grounds to restrict certain of the privacy protections in the Directive, the CJEU DRI judgment was framed entirely in terms of crime or serious crime.  The order made by the High Court disapplied DRIPA in the following terms, which exclude national security:
“in so far as access to and use of communications data retained pursuant to a retention notice is permitted for purposes other than the prevention and detection of serious offences or the conduct of criminal prosecutions relating to such offences”.
The High Court noted in its judgment:
“In their submissions on remedy following receipt of our draft judgment counsel for the [UK government] raised for the first time the question of whether access to retained data for national security reasons is within the scope of EU law. This was not raised in the oral or written arguments previously addressed to us and we decline to allow it to be raised at this late stage. Whether national security cases should have different provisions for authorisation of access to communications data will no doubt be the subject of careful thought when the new legislation is being drafted.” [123]
National security apart, the purposes for which communications data may currently be accessed under RIPA are considerably broader than either national security or serious offences and, subject to any appeal against the High Court judgment, will have to be revisited at least for mandatorily retained data.

Prior independent authorisation. The method of authorisation of access at least to mandatorily retained communications data will need to be reconsidered in the light of the DRIPA judicial review judgment (subject to appeal), so as to put in place prior authorisation by a court or independent administrative body.

The Coming UK Surveillance Debate: Communications Data Retention, Part 3

One of a series of posts on the forthcoming Investigatory Powers Bill

Retention of weblog data. Perhaps the most contentious and confused aspect of communications data retention is the debate over so-called weblog data. Anderson said:
“What is meant by web log in this context has caused some uncertainty, and independent experts to whom I have spoken criticise the term, and those who use it, on the basis of imprecision (as well as the inapplicability of the term to non-web based services).” [9.53]
The confusion around weblog data is heightened by the fact that the definitional boundaries are different for mandatory retention under DRIPA, voluntary retention under ATCSA 2001 and access to communications data by public authorities under RIPA.

RIPA drew the original line between communications data and content.  A machine identifier (such as an IP address or a URL up to the first slash) was communications data, but a URL after the first slash was content.  As Anderson observes, there are arbitrary elements to the core definition.  So is communications data, is content, but is communications data (Anderson, 9.54, fn 32).

The Home Office seems to want to extend mandatory retention to include URLs up to the first slash, but not full URLs. That appears from the definition of weblog data that it provided to Anderson:
“Weblogs are a record of the interaction that a user of the internet has with other computers connected to the internet. This will include websites visited up to the first ‘/’ of its [url], but not a detailed record of all web pages that a user has accessed. This record will contain times of contacts and the addresses of the other computers or services with which contact occurred.” [9.53]
Weblogs limited in that way could still, Anderson observes, “reveal, as critics of the proposal point out, that a user has visited a pornography site, or a site for sufferers of a particular medical condition, though the Home Office tell me that it is in practice very difficult to piece together a browsing history.” [9.54]

The Home Office description of weblog data is also intended to cover data such as destination IP addresses, DNS server logs, http ‘GET’ messages and IP service use data. [Anderson 9.54, fn 32] The inclusion of GET messages is odd. A GET message requests a page from the web server. Unless truncated it would be the equivalent of retaining a full URL.

Anderson reports law enforcement apparently pressing the case for compulsory retention of weblog data less strongly than to the Joint Committee in 2012:
“In short, it was not submitted to me, as it was in 2012 to the [Joint Committee], that “access to weblogs is essential for a wide range of investigations”. [9.61]
 However he added:
“it was clear from my conversations with the most senior officers that law enforcement does want a record to exist of an individual’s interaction with the internet to which it can obtain access. Ultimately it would argue for the retention of web logs, subject to safeguards to be determined by Parliament, if this was identified as the best way to meet its operational needs. But it would expect all avenues to be explored before reaching a final view on the best solution.” 
Recommendations of the three Reviews in relation to weblog data retention are:
No recommendation
Full consideration should be given to alternative means of achieving those purposes, including existing powers, and to the categories of data that should be required to be retained, which should be minimally intrusive. If a sufficiently compelling operational case has been made out, a rigorous assessment should then be conducted of the lawfulness, likely effectiveness, intrusiveness and cost of requiring such data to be retained. No detailed proposal should be put forward until that exercise has been performed. (Recommendation 15)
No recommendation

Given the confusion over what is and is not weblog data, I have set out in the table below a tentative analysis (others may have different interpretations and I reserve the right to change my mind!) of the current position on retention and access to some types of communications data. References to ‘Schedule’ are to the Schedule annexed to the Data Retention Regulations 2014 (S.I. 2014/2042) made under DRIPA.

Three points should be borne in mind when reading the table.  First, a ‘Yes’ answer does not mean that that type of data is necessarily covered in all circumstances.  It has at least to satisfy the conditions in rows 2 and (for CTSA 2015) 3 of the table. Second, I have given the benefit of the doubt to CTSA’s difficult definition of relevant internet data (set out in row 3). Third, CTSA can only apply to data that is not already covered by the DRIPA Regulations.

Mandatory retention possible under DRIPA?
Mandatory retention possible under CTSA S21?
Can disclosure be required under RIPA Pt I Chapter II?

Applies only so far as the data is generated or processed within UK by a public telecommunications operator in the process of providing a telecommunications service (DRIPA S. 2(1)).
A telecommunications operator can be required to disclose communications data in its possession and to obtain and disclose it if not in its possession 

Applies only to the extent that the data can identify, identify, or assist in identifying, which IP address or other identifier belongs to the sender or recipient of a communication

At customer’s ISP

Source static IP address
Yes (Schedule, 13(1)(b))


Source dynamic IP address.
Yes (Schedule, 13(1)(b))


Source shared IP address (within ISP e.g. CG-NAT)
Yes (Schedule, 13(1)(b))


Source port number

Weblog data: destination IP address
Probably excluded by S.21(3)(c)

Weblog data: destination URL (up to first ‘/’)
No (excluded by S.21(3)(c))
Yes (traffic data within S. 21(6))
ATCSA 2001 Voluntary Code provides for retention for 4 days
Destination URL (after first ‘/’)
No (excluded by S.21(3)(c))
No (excluded by last para of  S.21(6))
Excluded from ATCSA 2001 Voluntary Code

At public wi-fi point

Source MAC address

At webmail provider or other public host

DRIPA confirmed webmail as a telecommunications service
IP address allocated by user’s ISP


Port number allocated by user’s ISP