Thursday, 22 May 2014

Is RIPA fit for purpose?

As some of you know, The Regulation of Investigatory Powers Act 2000 provides a formalised process for authorities (e.g. police) to request information from the likes of telcos and ISPs. It also covers a load of other stuff including interception of communications.

Note: AAISP do not have any equipment connected to our network or in our network to intercept communications under RIPA or other such legislations. I.e. we have no "black boxes". Feel free to ask me on irc if you want to double check.

This process involves the police sending a form, usually by email, to the telco/ISP. The form does have details of a police officer that we can contact to check the form is valid. The whole process is, as I understand it, confidential, and could relate to investigations in progress, so naturally I cannot go in to any details on any RIPA requests we have had.

Being a relatively small ISP and telco we get very few of these. Maybe a couple a year. But we recently had the opportunity to see how the process works from the other side, i.e. as the victim of a crime.

As an ISP we have always suspected the whole thing is a mess of bureaucracy and delay. Most RIPA requests we get are not sensible (and as I say, we get very few). Some are plain wrong, e.g. one recently where it says "Communications provider: Talk Talk" and indeed was asking about a TalkTalk retail IP address, but was emailed to us not TalkTalk!

The requests we have had are either about a phone number or an IP address. I am not sure we have seen one for an IPv6 address yet. For a phone number, we could potentially have billing records for calls to/from the number, but we try not to hold any more than we need for billing and diagnostics, and we have not been required to hold data under The Data Retention (EC Directive) Regulations 2009. So, in general, we rarely have more than just billing name and address details. For an IP, it is much the same as IPs are fixed to one customer and we don't log what web sites people visit, etc. In most cases this is all the police need anyway.

Obviously we always stress that the billing contact may not be the user at the time, and that the installation address may not be the address the number or IP was used. We allow L2TP login for all DSL line IPs from anywhere in the world, and people can (and do) run relays, VPNs and TOR nodes.

When it comes to phone numbers we usually find the number is not in use, and often never been allocated. Spoofed CLI is very common in crime, it seems, and the police have a really hard time understanding that you cannot trust a CLI.

Now, when it comes to the other side, just after we were robbed (next day I think), one of the stolen machines did a bit of a phone home, logging in to dropbox. This was a staff member's windows machine. The apple boxes that are supposed to have tracking and so on, not a peep. Sad. This meant we know a Virgin IP address and told the police right away.

From what we can tell this was an address in Slough where someone "fixes" the machines - presumably wiping and re-installing and so on. An essential process in the resale of stolen goods, I am sure. If the police had gone there right away they may have found the stolen machines there.

Unfortunately it was a much much slower process. The police officer handling it had to talk to another department about tracing the IP. It was a process that involved some days before the came back asking the time zone. We said UTC. Many more days later they came back with "what do you mean UTC? Is that a time zone?". It was shocking. The time stamp was only to the minute, which caused an issue, even though Virgin IP addresses are sticky enough for that to be one address only. It was very frustrating.

I ended up contacting Virgin via my contacts saying "Please can you help this police officer fill out a RIPA form that you can process?". I don't know if that helped or not.

It was weeks before the process finally gave up an address, and an arrest was made, but the kit had all gone.

Whilst I am massively in favour of due process, I am not in favour of broken bureaucracy. I don't know why there is not an internal police web portal where the investigating office completes details, maybe it is flagged immediately to a superior officer to approve, and then sent electronically to the ISP, with an electronic reply. Large ISPs could even have some digitally signed XML interface to handle the RIPA requests and reply in seconds, but will all the approval process, authentication and paper trail that is needed. If that had existed we would have probably got our stolen stuff back and they may even have been able to catch the actual thieves when they tried to collect the stuff.

Oh well.


  1. As a telco we get maybe two a month. I don't think we have ever had a request which has been correct on the first attempt and we have seen errors in practically every field. They get a bit upset about the fees we charge for processing the request as we have negotiated a fixed fee based on the average amount of time it takes our staff to process one including all the chasing and phone calls we need to make.
    The big problem is that often due to cost cutting its not the experienced police officers performing this admin task but instead some lower paid civilian civil servant without the basic knowledge of what they are requesting.
    I don't know how long we keep call records for as that's part of the billing system which I don't have any dealings with but we keep call diagnostics for about 3 months and that's mainly because some people query items on a bill only when its due to be paid which can be 30 days after the bill is issued which in turn is for calls within the last month. That is purely signalling and we don't capture any voice traffic.

  2. > Note: AAISP do not have any equipment connected to our network or in our network to intercept communications under RIPA or other such legislations.

    How do you know for sure? Aren't some of your servers at a third-party server farm? I'm guessing your access to this will be quite limited for security reasons.

    > "what do you mean UTC? Is that a time zone?".

    OMG - haven't the police detected the presence of wikipedia yet?

    1. We don't have stuff at "a server farm". We have racks, connected with fibres and transit and stuff. And we know what is in those racks. We cannot, obviously, rule out someone else "in the internet" doing stuff, which is why people use https, etc, but they all have a harder time associating it with customer records than we would.

  3. Why does the police doesn't have an electronic workflow for RIPA?

    I suspect because they lack investment, each force running their own old, incompatible and well past use by date multiple infrastructures.

    Because there is no recent example of (large) government IT project that was well defined, designed and then implemented within anything close to budget, timing or (and more importantly) expected capabilities.

    And honestly, RIPA is probably not at the top of the list of needed police IT or procedure improvements.

    The process is likely to just be an adaptation of another process already in place, itself not fit for purpose... Don't re-engineer or improve, just take something "easy" already in place it's far less risky. No one can blame you when it doesn't work.

    Sounds like I'm pessimistic/sarcastic today!

    1. And from today large projects reports (picked up from The Independent):
      The Government is also struggling with yet another project to introduce a new IT system, which is proving slower and more expensive than they expected. This is the new system for the National Crime Agency, which was ‘amber/red’ this time last year has since been downgraded to ‘red’

  4. > Large ISPs could even have some digitally signed XML interface to handle the RIPA requests and reply in seconds

    Three things which might interest you:

    1.) paragraph 7.17 of the Interception of Communications Commissioner's report for 2010:

    "More police forces and CSPs are introducing automated systems to manage their requirements for communications data ..."

    2.) RDHI:

    3.) BAE Systems Detica (now AI) paper on data retention, at page 5:

  5. Cyccomms is what police use for RIPA workflow