There are also explanatory notes and impact assessment that give some clue to the plans of the Home Secretary, but at this stage, with the bill as it is, all it does is change a definition in the Data Retention and Investigatory Powers Act so as to allow a wider scope for secondary legislation on data retention to be made by the Home Secretary. The change of scope is to add some additional data such as port numbers to IP addresses in what is logged.
The underlying intention is not entirely clear - it seems to be an attempt to match IP addresses to individuals or devices.
This falls down for several reasons.
For a start, an IP address (and timestamp) is simply not going to be enough, and that is often all you have from the likes of web logs on a web site or some such. You need the source port at least, and in some cases the destination IP and port as well because some address translation systems use the full set of IPs and ports both ends to make a connection. Even logging all this in the ISP would not help if all you have is an IP and date/time.
But then it is not clear how they could go further than just identifying a subscriber. Getting to a device or user is pretty much impossible. There are two things in the way...
End user NAT router
It is commonly the case that the end user has a router that does network address translation (NAT) which makes all of the devices in a home or office appear to be one external IP address. This translation is not normally logged by such devices, and even if it was - the device is outside the ISP. The ISP would only have to log if they generate or process the data, so any data outside their network does not have to be logged. Maybe some large ISPs that provide the router and manage it for the end user could have some sort of back door to log this, but it seems unlikely and not something any ISP really wants the hassle of doing. All they have to do is say that the kit belongs to their customer and bingo: not in their network; not data generated or processed by them; not logged.
Carrier grade NAT (CGNAT)
There is another type of translation that is starting to happen. This is where an end user does not have a public IP of their own but is sharing it with other unrelated users by some means in the ISP network. There are a lot of ways this can work, but some include a big box that does the translation. This assigns a new port to each session at the TCP or UDP level so that the shared IP can be identified to the original customer. It may even assign different IPs to the same customer quite quickly. It could "overload" the IPs it uses where the same source IP and port is used to different target IPs and ports meaning you need all four bits of data (and the protocol and timestamp) to undo that translation.
Again, logging all of the CGNAT sessions is a massive job compared to now. At present ISPs subject to a retention notice (not A&A) need to keep their RADIUS logs where there assign an IP to a connection when it is made. That allows the IP and date/time to be traced to a subscriber. Having to log CGNAT sessions is millions of times more work. It makes CGNAT way more expensive.
Impact on IPv6
Increased cost for CGNAT should drive IPv6 deployment so as to get as little as possible running through the expensive CGNAT. That is sort of good news.
But even though IPv6 does not have the CGNAT or end user NAT router, it has privacy addressing which is not logged anywhere. So back to the issue that an end device or user cannot be traced.
Responsibility for use of you internet connection?
One thing that is definitely not being stated is that people have any responsibility for others using their Internet link. This is about tracing the IP to them, but it is still 100% legal to run an open WiFi. It is still 100% legal to run a TOR exit node or a VPN endpoint. You are not responsible for what others do with your network. Indeed, having an open WiFi or TOR exit node is a great way to create plausible deniability. In some ways this new legislation is encouraging that!
There is still no tracing to end user as a person or a device with this, and it is hard to see how their ever could be. Being still legal to run a TOR exit node, and to use TOR or VPNs means that anyone can easily bypass all of this themselves, as well as having good excuses why traffic is leaving their network. The widespread use of TOR and VPNs encouraged by the default ban on porn makes this even more common and something of which terrorists will be well aware.
I am shocked that Theresa May has the audacity to make the statement on page 1 of the bill stating it complies with human rights. The ECJ said the EU data retention directive did not, and this legislation takes that an extends it. How can she say that a blanket surveillance of innocent users of the Internet in the UK is compliant with the right to privacy?
Bear in mind that in some cases CGNAT logs have to have details of what IPs you accessed to be useful, and so will basically log what web sites you visited and when. Well, "you", or someone using your Internet connection. That is a huge invasion of privacy. Notably the legislation seems to try and exclude that data, but without it many CGNAT systems are not logging enough to trace a connection back to a subscriber.
Impact on A&A?
- We have not had a data retention notice so do not log anything for law enforcement!
- Obviously, as now, if served with a suitable notice under RIPA to give out details of a subscriber from an IP we can do so, but that is targeted and with due legal process. We assign a fixed IP to all customers. We would always stress in such responses that the IP does not in any way identify a person that sent traffic and explain TOR and VPNs and open WiFi. I do not think we have had any valid requests for such data yet.
- If served with a retention notice we can claim costs, and they will not be small! We can also make a few minor reorganisations which will minimise the level of logging. Quite what would happen will depend on exact wording of the new Data Retention Directive itself enabled by this if it becomes law.
- Obviously we encourage IPv6 and are happy with people using privacy addressing which is default on so much kit these days.
- Obviously we will clarify in our terms and conditions that we do not "run" the end user router so do not have any logs to make from that.
- Obviously we encourage using https and TLS and your own mail servers to avoid logging.
- If we had a retention notice, our only big NAT box which runs a public service experimental NAT64 gateway may have to change hands so not belonging to an ISP, i.e. I may personally own it and so not have to log anything. No way we are keeping CGNAT logs. Actually, Thrall Horde is a legal entity, he can own it :-)
- In essence, nothing much changes for us, phew!
- Though, maybe, I have to be careful if I ever leave the country :-(
- Oh, and our voice SIMs do have a NAT unfiltered Internet connection, but the NAT is done outside the UK, so the legislation does not apply!