Saturday, 7 November 2015

Gagging Retention Orders

The Draft IP bill 77(2) states that a telecommunications operator must not disclose the existence or content of a "retention notice". A "retention notice" is the notice requiring that communications data be retained for up to 12 months and is not related to specific targeted surveillance. They are the "mass surveillance by ISPs" part of the bill.

Why not disclose the existence?

Maybe they don't want people to know which ISPs have had retention notices? But surely everyone will know the big players are going to be subject to one, such as BT, Virgin, Talk Talk, etc, so why would that be a secret?

Maybe they think people will choose an ISP that is not subject to a notice. But that makes no sense. For a start, anyone involved in any serious crime would assume they are monitored and use the simple step of Tor or VPN to bypass any such monitoring anyway. Also, whilst those served a notice cannot say anything, those not served can state they have not been served (as A&A do) so the public can still choose an ISP not served with such a notice.

Why not disclose the content?

Again this is odd - the notice will require retention of communications data, and the government have already said what the worst case scenario of that is - the names of every web site you visit. So why hide what the notice says?

Maybe they want to collect even more data than we thought - but in that case the notice should be public as the public have a right to know what is going on. This should not be a law saying you can collect almost anything you want, and then secret notices detailing how far they have actually gone with that. We need transparency.

Remember, this is not targeted surveillance - it would not be tipping off a suspect if a retention notice is served on an ISP. And indeed, many ISPs would not want to say if they have been served a notice or not in public anyway.

Why there should not be any gagging order, i.e. scrap clause 77(2)

Assuming this awful bill comes to law and ISPs are expected to somehow magically collect web addresses people visit and carry out this mass surveillance on the innocent citizens of the UK, this is a huge technical and operational headache for ISPs. If the notices are secret then each ISP is on their own to solve that problem. If the notices are not secret then ISPs can present details of their solutions in the various industry forums like ISPA and UKNOF. Indeed, knowing the details of notices, third party solutions suppliers can produce equipment to meet the requirements of notices.

There is also the matter of whether the police and authorities that may want to get at the data somehow have to know which ISPs have been served notices and what data they retain.

One wonders if a (R)IPA request from the police could be replied with "Sorry, I cannot provide any data relating to your request as to do so could reveal if we have been served with a retention notice which would be in breach of 77(2) of the IPA if we have, and if we have not, then we have no data to provide anyway".

So ultimately the secrecy will create worse solutions, slower, and at much higher cost. Is that really the best way to spend public money?


  1. Don't worry, it's probably not public money that's paying for this... :-)

  2. Maybe you could add a confirmation message to the invoice emails you send each month to reaffirm that A&A has still not been subjected to a retention notice. That way, when the message is absent, we'll know that you have been. Alternatively leave the message in a prominent place on the home page so if it ever disappears the conclusion will be obvious.

  3. "... worst case scenario of that is - the names of every web site you visit...."

    There seems to talk about websites. Is it just web sites or everything?

  4. I saw a comment from someone suggesting the bill would outlaw warrant canaries in some way, ie if you were served one you would be required not to remove the text saying you have not been served (ie lie to your customers)...

    1. That would be quite a disturbing additional step in itself - not just prohibiting you from revealing something, but actively forcing you to lie about it - I suspect that one would struggle in the courts. If they can force RevK to lie to us to assist the police, can they just order him to go and infiltrate an Al Qaeda cell too?

      One more benign possible explanation for hiding the content of such an order is that it might be more narrowly focussed: for example, "record all the communications matching $description" ... not specific enough to get the old-fashioned "monitor RevK's line/account, he's up to something" order, but not totally non-specific either.

    2. @jas88: In the case of a focussed order, I can understand a *temporary* gagging order. But presumably at some point you've either arrested someone or dropped the case, so at that point there's no need for the gag any more.

      If you've arrested someone, then presumably they should be told about the order so they can use that evidence in their defence.

      And if orders are made public, even a couple of years after the event, then its possible for the subjects of the order, the courts and the general public to review them. That would give many of the benefits that RevK is talking about, although not all. It would also allow either challenging the orders in court, or changing the law, or voting out of office the government who signed off on them.

      If I was cynical, I'd say that's why the gag orders exist - to protect the police and government from any oversight, and to prevent innocent people from using the data to exonerate themselves.

    3. So if an ISP told me they had not been served a retention notice and I bought their services on that basis, would I be able to sue the ISP for fraud if it later turns out that they had been served and had been forced to lie?

    4. I suspect a law requiring us to lie would trump contract law and so probably not - but it may not trump The Fraud Act, so could be an order to commit a crime, which is where the issue may lie.

    5. "That would be quite a disturbing additional step in itself - not just prohibiting you from revealing something, but actively forcing you to lie about it

      Not only that, but it would also lead to the bizarre legal situation where the government could prohibit you from modifying or removing content from your own website, even though you were never obliged to publish the content in the first place.

      What if you just didn't want to publish the statement any more, because you felt it didn't fit with your new design? How long would the prohibition on removing the statement last? What if you shut down the web server, are you now breaking the law? If you published the statement on a separate domain (e.g. ""), are you now obliged to maintain both the domain and the web hosting, in perpetuity, at your own expense? And if you are forbidden to remove the statement, are you also forbidden to SAY that you are forbidden to remove the statement (effectively revealing the presence of the retention notice + gag order), or does the law also require you to "meta-lie" and say that you are publishing the statement of your own free will?

      This would perhaps be the most ridiculous example of compelled false speech since the Salem witch trials, although sadly that doesn't mean that the government won't attempt it.

  5. Both this and the we want to ban any encryption that we cant decrypt, that the lunatics in government are trying to bring in are nothing more than an attempt at infringing our right to privacy ,what they propose will make internet banking online shopping even more in secure, their thinking is just Bull shit , done in the name of anti TERRORIST TERRORISM the two words they like to keep on using every time that they seek to further erode our rights , and also use to keep the sheeple (who know no better) scared , no way does this ever justify taking away our rights , do that and the terrorists have won!!!

  6. Remind me – who exactly are the terrorists here? Those who would, apparently, bomb us or those who say that there are those who would bomb us?

    1. The dictionary definition of Terrorist: a person who uses terrorism in the pursuit of political aims.
      And Terrorism: the use of violence and intimidation in the pursuit of political aims.

      I would say that telling the public "you must let us pass these laws, otherwise the terrorists will get you" would meet the definition of using intimidation in pursuit of political aims. These days I'm far more terrified about the government abusing its position than about the minuscule possibility of being blown up by someone with a political agenda.