EXCL: A wall of silence surrounds plan to collect citizens’ internet records nationwide


Credit: Descrier/CC BY 2.0

The government plans to create a nationwide service through which authorities will be able to search and obtain citizens’ internet connection records from communications companies.

The nationwide platform rollout follows trials that came to light last year that involved two – unnamed – internet service providers.

There has been no announcement by the government or other public authority of the decision to expand these explorations into a full national program – one that could allow law enforcement to access the information. on all websites visited by any individual in the UK.

The creation of a national platform was instead revealed in a recently published online tender notice, inviting tech companies to bid to provide IT system migration support – as well as the development of a filtering tool allowing authorities to search for and filter information. results.

After discovering the notice, AudienceTechnology contacted the Home Office and the National Crime Agency – the organizations which jointly conducted the previous trials – as well as the watchdog responsible for overseeing communications surveillance. We also contacted the UK’s 16 main broadband providers and mobile network operators, as well as the main commercial sector body for ISPs.

“Following the completion of some initial trial activities, work is underway to provide a national ICR service. As part of this national service, a central filtering device and a results platform are necessary.
Headquarters Supply Specification

None of these organizations answered any of our questions or provided any comments or additional information about what the service will involve, their organization’s role or involvement in running it, whether police will need an order. court to search databases of Internet Connection Records (ICRs), or the implications for citizen privacy and data security.

With the exception of an initial phone call to the Home Office, all further calls and emails to the department, the NCA and the Office of the Commissioner for Investigative Powers – a statutory body whose role is to “supervising the use of secret investigative powers by…public authorities” – went unanswered.

On the question of how and which telecom companies will support the service, and how customer data could be provided to authorities, the trade body Internet Service Providers Association declined to comment, as did Tesco Mobile and Glide, a specialist broadband provider for students, while Hyperoptic said it was reviewing our investigation.

We have received no response from: BT; Sky; blank media; Speak speak; Vodafone; Shell Energy; Zen; KCOM; Sharper ; EE; Three; 02; and Giffgaff.

spy diary
The procurement document provides some details on the technical specifications of the national ICR service and how law enforcement will be able to use it.

He notes that the provisions of the Investigative Powers Act 2016 – often referred to by critics as the Snoopers Charter – have allowed “law enforcement agencies to lawfully obtain internet connection records at the support for their investigations”.

Although an Internet connection record does not constitute a complete browsing history, it does contain information about all the websites visited or applications accessed by a user, as well as details about the device used and the time of the visit. – although it lacks the detail of what individual pages were visited. Customer account information with the telecom provided in question is also embedded in the records, as is the user’s IP address.

Since the introduction of the Investigatory Powers Act, communications companies can be required to retain this data for up to a year – although this requires an order approved by one of the UK’s judicial commissioners.

12 months
Length of time ISPs may be required to retain customer ICR data

‘End of 2022’
Date Home Office hopes to have ICR data search tool ready for private beta testing

Number of ISPs and mobile operators who were contacted for this story – and also the number who declined to comment

£2 million
Amount budgeted for developing a results filtering tool and migrating systems into an AWS environment

December 30, 2016
Effective date of the Investigative Powers Act – dubbed the Snoopers Charter

Earlier documents filed by the IPCO reveal that the first two such approvals were granted in 2019 – apparently in a bid to pave the way for the ICR service to go to trial. The telecommunications companies affected by the orders were not named in the documents.

The national service allowing law enforcement to access ICR information from a wider range of providers is overseen by the National Communications Data Service, a low-profile unit that is part of the Home Office’s counter-terrorism operations and whose mandate – as described in another procurement notice – is “to provide designated representatives of law enforcement and public authorities at large with access to communications data retained in accordance with law”.

In its recent tender for a technology provider, the NCDS revealed that trials of an ICR service last year included creating a “filtering device and results platform that… will be the basis of at least part of national service, and work is underway to determine exactly what elements of the trial will be used and how; we expect this analysis to be completed shortly.”

“To ensure maximum reuse of testing capabilities, work is underway to assess which items can be migrated to NCDS and which items need to be rebuilt,” he added.

Once this assessment is complete, work will begin on building the filtering tool which, when complete, will be migrated to data center storage provided to NCDS by Amazon Web Services.

“We are working in line with the expectation that a private beta version of the filtering arrangement and results platform capability will be available for use against telecom carrier data by the end of 2022. “, he added.

Requests and access
With the full ICR service online, NCDS’ goal is to provide law enforcement with a digital platform that provides the “ability to request ICR data… [and] access ICR data, so that I can use it to support criminal investigations and identify where I might need to send requests for other data on other systems”.

Suppliers interested in bidding to provide an eight-person ‘technical migration’ team to support the work of the unit have until midnight today to do so, with the Home Office hoping to sign a contract with the bidder retained by July 6.

The chosen firm should be appointed to complete an initial six-month statement of work, but the department may choose to extend its contract with the firm for an additional 18 months beyond that. A budget of up to £2 million has been allocated for the work that will take place during this period.

At the time of writing, 15 companies have started bidding, and five potential suppliers – all of which are SMEs – have completed the process.

“Law enforcement agencies need access to ICR data, so they can use it to support criminal investigations and identify where I might need to send requests for other data on other systems”
Headquarters Supply Specification

vendor personnel will require Security Screening (SC) clearance before joining an existing project team of both government and contractors.

“Given the current timelines for receiving clearance, please consider nominating individuals with an existing SC whenever possible,” the contract notice reads. “Please note that if people do not have a Home Office SC, they will need to go through a confirmation of the authorization process before they can start working.”
In a fact sheet issued before the Investigative Powers Act was introduced, the government claimed that “ICRs are essential to law enforcement investigations in several respects”.

Specified use cases for ICR data included “to help identify who sent a known communication online”, “to establish what services a known suspect or victim has used to communicate online”, “to establish whether a known suspect was involved in online communications”. crime” and “to identify services to which a suspect has accessed that could assist in an investigation”.

“There is currently no legal requirement for CSPs to retain KPIs and therefore this information may not be available to law enforcement, meaning they can often only paint a fragmented picture of the information from a known suspect,” the document added.

“Communication service providers can [now] be required to retain KPIs for a maximum period of 12 months. This will be invaluable to law enforcement for the prevention and detection of crime and the protection of national security.


Comments are closed.