New Data Retention Bill

[Corrected 28/11: "relevant internet data" is limited to that "generated or processed" (not merely "held") by the telecommunications operator]

As announced in last weekend's media Clause 17 of the Counter-Terrorism and Security Bill increases the range of data that the Government can order public telecommunications providers to retain. The Bill amends the recent Data Retention and Investigatory Powers Act 2014 – indeed several amendments are necessary definitions that were missed out of that Act, rather than new powers. The powers that are new don’t seem to bring any new CSPs into scope that weren’t already covered by DRIPA (section 1(1) of DRIPA still applies, limiting the power to "public telecommunications providers") and they don’t require those providers to collect information that they don’t already "generate[] or process[] ... in the process of supplying the telecommunications services concerned" "process" or "hold".

The main change is to increase the range of information that providers can be required to retain. Previously this was limited to the list in the Schedule of the 2009 Data Retention Regulations, notably "The IP address, whether dynamic or static, allocated by the internet access service provider to the communication" (Schedule, s.13(b)). The imminent exhaustion of IPv4 addresses has resulted in increased use by internet providers of various technologies – generally described as "Network Address Translation" – that allow several people to use the same IP address at the same time. This is apparently causing increasing problems for investigations, so the new Bill now allows orders requiring telecommunications providers to retain information "relevant internet information" that "may be used to identify, or assist in identifying, which internet protocol address, or other identifier, belongs to the sender or recipient of a communication (whether or not a person)". That’s likely to include logs of the various address translation services that telecommunications providers operate: depending on the exact form of translation that could involve anything from logs of every TCP session to little more than current DHCP logs.

Whereas DRIPA was previously limited to data "generated or processed … in the process of supplying the telecommunications services concerned", that restriction hasn’t been extended to cover the new "relevant internet information". This "Relevant internet information" must "relate[] to an internet access or internet communications service" and fall within the definition of "communications data" in section 21 of the Regulation of Investigatory Powers Act 2000. Unfortunately because of s.21(4)(c) of RIPA, that could include "any information not falling within paragraph (a) or (b) that is held or obtained, in relation to persons to whom he provides the service, by a person providing a postal service or telecommunications service". Given DRIPA’s clarification (in s.5) that webmail and other "service[s] consist[ing] in or includ[ing] facilitating the creation, management or storage of communications transmitted, or that maybe transmitted, by means of such a system" are considered "telecommunications services", that could be quite a lot of data, going well beyond the normal understanding of "communications data".

Hopefully Parliament's debate of this new Bill will provide an opportunity to correct that over-reach in all three pieces of legislation.