Tuesday, 15 March 2016

The Futility of Internet Connection Records

The Draft Investigatory Powers Bill was debated for the first time in the House of Commons today. Unfortunately the majority of the debate did not mention the fundamental issues with Internet Connection Records (ICRs).

Part 4 of the Bill outlines the power of the Home Secretary to require a "telecommunications operator" to retain the Internet Connection Records of all of its customers for no longer than 12 months. A natural question to follow is what constitutes an ICR? This is inadequately answered in Part 4, Sec.71 (9) of the Bill, it states:

In this Part “relevant communications data” means communications data which may be used to identify, or assist in identifying, any of the following— 
(a) the sender or recipient of a communication (whether or not a person), 
(b) the time or duration of a communication, 
(c) the type, method or pattern, or fact, of communication, 
(d) the telecommunication system (or any part of it) from, to or through which, or by means of which, a communication is or may be transmitted, 
(e) the location of any such system, or 
(f) the internet protocol address, or other identifier, of any apparatus to which a communication is transmitted for the purpose of obtaining access to, or running, a computer file or computer program. 
In this subsection “identifier” means an identifier used to facilitate the transmission of a communication.

For the learned colleagues among us, this is essentially the header of a packet traversing a public network in the United Kingdom.

The purpose of this post is not to lament already well documented and publicised criticisms of this section of the proposed Bill. It is however, to highlight one (of many) glaring issues with the utility of this power.

I have created a vastly simplified diagram of the typical use of a commercial VPN to better illustrate (to those without the requisite knowledge) how ICRs could be rendered useless. I have found that verbally describing this process does not have the impact I would hope. As a result I hope this post will serve as an aid in this respect.
The diagram shows two requests, one without the use of a VPN and one with.

In the latter, through an encrypted tunnel, the ISP forwards the HTTP request to the VPN provider
and creates an ICR of that request. The ISP can only see the destination as the address of the VPN provider, therefore the ICR only contains the address of the VPN provider. The VPN provider receives the request and processes it on behalf of the user located at At no point is the ISP (or any other entity) able to view or record any details contained in the encrypted tunnel.

VPNs make ICRs useless. Especially if the VPN provider is located outside the jurisdiction of British law.

This is one argument of many against the utility of ICRs. It would appear that the valid arguments of government over-reach and the negative impact on the privacy of millions of people gains little traction.. so it seems necessary to start challenging the many flaws in the practical application of this power.

In a future post I plan to discuss the significant issue of safely storing massive volumes of intimately personal data of millions of people.