Home Secretary Theresa May said in a speech this week that a new Counter-Terrorism and Security Bill, due to be debated by MPs tomorrow (Wednesday), will require internet service providers (ISPs) and other firms to store – and hand over - data that identifies who is using any computer or mobile phone at any one time.
The bill is aimed at helping law enforcement track down individual hackers, cyber-criminals and terrorists, by solving the problem that currently hundreds of devices can share one single ‘gateway' IP address.
But the UK Internet Services Providers' Association (ISPA) – who have not been consulted on the bill – fear the only way to achieve this is by mass-collecting mobile phone data.
ISPA chairman and Keycom CTO James Blessing told SCMagazineUK.com that the only practical way to establish which individual phone or computer user visited a certain website at a certain time “is if you recorded every single piece of traffic for that device, at which point you're into the argument of what's comms data, what's content”.
Blessing emphasised that the ISPA is “in the dark” about what exactly the bill will entail, but warned: “The rise of the use of mobile for internet access would imply this is what they're talking about.
“It might be is a simple line, saying communications service providers must provide a way for identifying an end user when provided with an IP address - which sounds really quite innocuous. But when you dig into the detail of how you would actually go about doing that, you're moving in the direction of collecting data that probably sits beyond comms (communication) data.”
The ISPA's stance reflects the view of privacy groups who believe the new law is a backdoor attempt to revive the Communications Data Bill - the so-called ‘Snooper's Charter' recently scrapped after Lib Dem opposition – which would have allowed police and security agencies to directly access communications data.
Blessing told SC: “If I was being a cynic, it's the Comms Data bill ‘lite', subtly tweaked to get away with it, so it doesn't look like the Comms Data Bill, or you were trying to not tip off people to what you wanted to do.”
Privacy campaigner Emma Carr, director of Big Brother Watch, said in a statement: “The Home Secretary's speech highlights that the ‘Snoopers Charter' is anything but dead and buried. The detail in the speech has done little to quell concerns regarding the technical requirements for retention of IP addresses.
“It is essential that Wednesday's Counter-Terrorism and Security Bill shows that clear discussions have taken place with the ISPs and that the government have a solid understanding of the policy's technical feasibility.”
Security industry watcher Professor Mike Jackson, from Birmingham City University, echoed these concerns while insisting the “increased internet data powers for the police” will do little to catch real terrorists.
Jackson said in a statement: “We are heading little by little towards having to accept the Snooper's Charter. The new bill provides more information for the police and security forces; but in the end will probably only help them identify nuisance users of the internet and not the terrorists they wish to catch.
“We can therefore expect that this is not the end of the road for internet legislation but just a step towards a world where all the data we generate is open to government scrutiny.”
However, cyber-security expert Alan Woodward, visiting professor at Surrey University and a Europol adviser, felt the fears are exaggerated.
He told SCMagazineUK.com: “I don't know why people are waving their arms around saying ‘this is the Snooper's Charter by another door, by a back route'. I don't believe it is at all.
“All they're effectively saying is we want records of which IP addresses are assigned to which customer to be retained.
“If a telephone had been used to facilitate a crime, you'd want to know who had used that telephone. It's no different to that. This isn't about monitoring what websites you visit or anything like that - this is simply about who had what access to what IP address.”
Woodward added that he “disagreed totally” with the view that the new law establishes the principle of blanket data collection or surveillance.
“It absolutely does not,” he told SC. “It's like saying that being able to look at somebody's phone records to see who they phoned when, is equivalent to being able to listen in to their phone calls and it just is not. I think there's a bit of a leap.”
Woodward feels ISPs should respond to recent government warnings that they are unintentionally providing a safe haven for terrorists.
“ISPs have to accept that they're not just dumb pipes - they have to take some responsibility, they have to help in some ways,” he said.
But James Blessing likened blaming ISPs for helping terrorists to saying “the telephone is responsible for people making marketing calls”.
He said blocks on the internet would likely lead to “the proliferation of tools to bypass blocks – the proliferation of VPNs, increased use of things like Tor”.
Blessing said: “Anyone with darker intent who has any nous will just change their behaviour to a layer that is more difficult to track.
“The intelligence services need to work with the service providers – but how exactly we do that going forward is a very difficult topic.”
Meanwhile freedom of information campaigner Jim Killock from the Open Rights Group said in a blog post on Monday that the proposed new mobile IP data retention “is another proposal for blanket retention beyond what is needed for business purposes.
“It has the effect of eroding the principle behind defining the basis of proportionate measures to retain data, and surreptitiously signing up Parliament to the idea that blanket collection is not necessarily a problem.
“Once the principle that blanket data retention is fully accepted, resistance to the Snoopers' Charter will weaken, and MPs will turn to oversight as sufficient protection. We need a full debate about the whole question of data retention.”