Here we go again! Another classic example of rushed-through legislation without sufficient industry input or parliamentary scrutiny (or even technical understanding), in reaction to a high profile (and in this case highly emotive) issue in the run up to an election. Is this ringing any bells? No it’s not the DEA this time, it’s the brand new Counter Terrorism and Security Bill (CTSB) which has been published today.
[caption id="attachment_135" align="alignleft" width="128"]
Paul Heritage-Redpath, Product Manager[/caption]
Following yesterday’s published review into the tragic death of Fusilier Lee Rigby, which found that his death could not have been prevented by MI5 and instead criticised the ‘ISP’ (which in actual fact wasn’t an ISP but the social media platform Facebook!) for not monitoring its customers’ communications and reporting potential threats to the authorities, the Government has today published a new Bill which is set to target the increasing terrorism threat to the UK.
Unfortunately, once again Parliament has failed to grasp the technical aspects of this issue. Not only have they confused Facebook (and Google) with ‘ISPs’, they seem to think that this new Bill will enable ISPs to ‘snoop’ on their customers’ social media posts - which isn’t the case. Facebook in particular encrypts all information, which means no UK ISP will be able to access this information, regardless of the new laws! The additional fact that Facebook is a US-based company adds to the un-likelihood that they will comply with any ‘requests’ from the UK to change these practices.
Even if it was possible, or if we consider the monitoring of other communications such as email (which ISPs would potentially have access to), there have been several previous failed attempts at introducing new laws to cover this due to privacy concerns. Not to mention the sheer enormity of the task at hand. Currently, ISPs only provide details of specific customer communications when requested to do so by the police or security agencies using a RIPA (Regulation of Investigatory Powers Act) notice. We do
not proactively monitor or scan customer communications for potential ‘illegal’ activity or terrorist threats, we don’t have the legal power to do so and we, as ISPs, are not the police - therefore should not be making such judgements.
What does the new Bill include?
The role of RIPA in investigations does not appear to have changed. ISPs will still only provide information to the authorities when requested to do so under a data retention notice and will not be required to scan or monitor general communications, despite yesterday’s responses to the review. However, there is a clear call from Government for industry to ‘do more’ on this matter. I guess we will have to wait and see how that plays out.
The key concern of the proposed new Bill is the fact that it will once again focus on the IP address to ‘identify’ a user. Time and time again the industry has advised Government that this is not the best practice, yet still they choose to ignore us.
Responding to the industry news website ISPReview.co.uk earlier this week, Nicholas Lansman, ISPA Secretary General said: “ISPA is disappointed that the Home Office has not consulted with industry on proposals for IP matching, but we will work with our members to scrutinise and inform the legislation when it is published. IP addresses can generally only be used to identify a subscriber and not an individual. As we argued in our submission to the Anderson Review on future communications data laws, the Home Office needs to do more to consult with industry on its proposals, once again there has been a distinct lack of engagement with industry.
Government committed to a review of communications data capabilities by David Anderson QC which we supported, yet the Home Secretary appears to have pre-judged the inquiry by reemphasising the need for a new Communications Data Bill, a Bill that both relevant parliamentary committees rejected".
The problem is, identification based on IP address simply isn’t reliable. IP addresses can be spoofed, reassigned or simply shared among multiple users (e.g. public WiFi or even within a home or office environment). Therefore identifying a specific user or device will be very difficult and could provide unreliable information.
We think the most frustrating aspect of this new Bill is the fact that, despite consultation with industry for the Anderson report, it has disregarded our input and once again focused on IP address matching. The Government regularly calls on the industry to ‘do their bit’ and work with them, yet when we do they ignore our suggestions and concerns and then impose new regulations on us that will provide little benefit to the investigations. When are they going to learn to listen to us?
Have your say!
Do you think IP address matching will provide reliable information to help in such investigations? Or are you also concerned by its potential for abuse and unreliable results? Do you think Government should liaise with and, most importantly, listen to industry more on such matters? Are you concerned that once again an important Bill has been rushed through parliament? Let us know your opinion on this subject by leaving us a comment below.
Related articles
Further information
[cookiecontrol1]
[subscribe2]